Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Remove X-PHP-SCRIPT


Black Jack 21

Recommended Posts

$PHP_SELF is already set (in /includes/application_top.php) so it is best to use that for consistency, in my opinion.

 

I lost track of this issue until I found the post over in the updated security thread. All fixed up now so the admin isn't shown as noted. Thanks!!

I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can.

I remember what it was like when I first started with osC. It can be overwhelming.

However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc.

There are several good pros here on osCommerce. Look around, you'll figure out who they are.

Link to comment
Share on other sites

  • 2 weeks later...

Is it necessary to change this with a shop running 2.3.1? When I test this with an email address on the same server, it shows my admin folder in the header, but with 3 other email accounts: gmail, yahoo, and a privately hosted account, the admin folder does not show up in the header...

Link to comment
Share on other sites

I've read this through a few times now but I'm still not clear. Under what circumstances does an email get produced with the offending X-PHP-SCRIPT statement?

 

I have 2.3.1, recently installed and not yet open to the public. I placed a test order and I don't see X-PHP-SCRIPT in the header of the confirmation email.

 

In order to diagnose and eradicate the problem, I need to actually see it happen. I also need to know all the circumstances that can make it happen so I can check that it isn't happening any more once I apply the fix.

Link to comment
Share on other sites

I've read this through a few times now but I'm still not clear. Under what circumstances does an email get produced with the offending X-PHP-SCRIPT statement?

 

I have 2.3.1, recently installed and not yet open to the public. I placed a test order and I don't see X-PHP-SCRIPT in the header of the confirmation email.

 

In order to diagnose and eradicate the problem, I need to actually see it happen. I also need to know all the circumstances that can make it happen so I can check that it isn't happening any more once I apply the fix.

 

Andy, in my case the admin folder was showing up when I "emailed" from within my store to a customer. As well it would show up with an order update and/or confirmation email, which is done automatically when something is purchased from your store.

 

I found this by creating a dummy account with a real email address and ran some tests. By looking at the email properties in Outlook and Outlook Express I saw the admin folder name.

 

After making recommended mods, the admin folder was "hidden".

 

This occurred on both 2.2 and 2.3.1 shops by the way.

 

Good luck.

I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can.

I remember what it was like when I first started with osC. It can be overwhelming.

However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc.

There are several good pros here on osCommerce. Look around, you'll figure out who they are.

Link to comment
Share on other sites

Thanks, altoid.

 

I've tried sending an email from the Customers list in the admin too, but it doesn't put the name of the admin folder in the emails, either way. Maybe it's down to the way the hosting company has email set up.

 

Perhaps I shouldn't rely on it though. I guess I could do the changes even though I can't see the results. It feels a bit strange not being able to test it though.

Link to comment
Share on other sites

Thanks, altoid.

 

I've tried sending an email from the Customers list in the admin too, but it doesn't put the name of the admin folder in the emails, either way. Maybe it's down to the way the hosting company has email set up.

 

Perhaps I shouldn't rely on it though. I guess I could do the changes even though I can't see the results. It feels a bit strange not being able to test it though.

 

There was some discussion a while ago in another string in osC on this topic. If you google around and can find that, there was some more expert commentary from professionals. That got my attention and only recently did I see find where a work around had been posted. Hiding the admin folder in emails is just one of many steps to take for site security.

 

Anyway...good luck with all that.

I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can.

I remember what it was like when I first started with osC. It can be overwhelming.

However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc.

There are several good pros here on osCommerce. Look around, you'll figure out who they are.

Link to comment
Share on other sites

There was some discussion a while ago in another string in osC on this topic.

I've been reading this security thread:

http://www.oscommerce.com/forums/topic/375288-updated-security-thread/

 

which lead me to this current one. I also found a long rambling discussion that started out as being about the admin folder name appearing in emails, but drifted off onto other topics. It was a long thread so I gave up on it.

Link to comment
Share on other sites

I've been reading this security thread:

http://www.oscommerce.com/forums/topic/375288-updated-security-thread/

 

which lead me to this current one. I also found a long rambling discussion that started out as being about the admin folder name appearing in emails, but drifted off onto other topics. It was a long thread so I gave up on it.

 

The thread to which you linked is the most recent thread giving pertinent advice on what every shop owner should do. The older thread is waaaayyyyy out of date and should now be consigned to history.

Link to comment
Share on other sites

  • 3 weeks later...

Hmm...as I'm looking to button up security on the shop, I was concerned about this issue. I'm running OSC 2.3.1, however I also cannot seem to locate the admin folder, nor the X-PHP portion. Here is the full source of an email I sent to my dummy account via Admin > Tools > Send Email as well as updating the order status.

 

I'm concerned I may be missing it somehow.

 

Received: (qmail 11675 invoked from network); 11 Sep 2011 16:52:26 -0000
Received: from unknown (HELO prod.phx3.secureserver.net) ([xxx.xxx.xxx.xxx])
	 (envelope-sender <[email protected]>)
	 by prod.mesa1.secureserver.net (qmail-1.03) with SMTP
	 for <[email protected]>; 11 Sep 2011 16:52:26 -0000
X-IronPort-Anti-Spam-Result: Av0CANDmbE5Ip+rvkWdsb2JhbAAnGoRVgXmhYAEBAQEJCQ0HEiiBSTN0AT4CQxyIDiSWBY1gkCqFXYERBIdthDKSbIVu
Received: from prod.phx3.secureserver.net ([xxx.xxx.xxx.xxx])
by prod.phx3.secureserver.net with SMTP; 11 Sep 2011 09:52:26 -0700
Received: (qmail 14369 invoked from network); 11 Sep 2011 16:52:26 -0000
Received: from prod.phx3.secureserver.net ([xxx.xxx.xxx.xxx])
	 (envelope-sender <[email protected]>)
	 by prod.phx3.secureserver.net (qmail-ldap-1.03) with SMTP
	 for <[email protected]>; 11 Sep 2011 16:52:26 -0000
Received: from prod.phx3.secureserver.net (localhost [127.0.0.1])
 by prod.phx3.secureserver.net (8.13.8/8.12.11) with ESMTP id p8BGqQMA011646
 for <[email protected]>; Sun, 11 Sep 2011 09:52:26 -0700
Received: (from ftpusername@localhost)
 by prod.phx3.secureserver.net (8.13.8/8.12.11/Submit) id p8BGqQBv011643;
 Sun, 11 Sep 2011 09:52:26 -0700
Date: Sun, 11 Sep 2011 09:52:26 -0700
Message-Id: <prod.phx3.secureserver.net>
To: "Customer Name" <[email protected]>
Subject: Order Update
From: "Admin Name" <[email protected]>
MIME-Version: 1.0
X-Mailer: osCommerce
Content-Type: multipart/alternative;
 boundary="=_69c71cdb070f61dd3198e8e1ac3afe4a"
X-Nonspam: Whitelist
--=_69c71cdb070f61dd3198e8e1ac3afe4a
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Company Name, LLC.
------------------------------------------------------
Order Number: XXXXX
Detailed Invoice: https://mydomain.com/account_history_info.php?order_id=XXXXX
Date Ordered: Sunday 11 September, 2011
The comments for your order are
Testing status update to verify admin folder in email headers or not. :D

Your order has been updated to the following status.
New status: Shipped
Please reply to this email if you have any questions.
--=_69c71cdb070f61dd3198e8e1ac3afe4a
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Company Name, LLC.<br />-----------------------------------------------=
-------<br />Order Number: XXXXX<br />Detailed Invoice: https://mydomain.com=
/account_history_info.php?order_id=XXXXX<br />Date Ordered: Sunday 11 Sep=
tember, 2011<br /><br />The comments for your order are<br /><br />Testing =
status update to verify admin folder in email headers or not. :D<br /><br /=
><br /><br />Your order has been updated to the following status.<br /><br =
/>New status: Shipped<br /><br />Please reply to this email if you have any=
questions.<br />
--=_69c71cdb070f61dd3198e8e1ac3afe4a--

 

The only concern I can identify is that it's using the FTP username as the sender, see "[email protected]" above. I'm not certain if that is much of a threat if they don't know it's the username. Regardless, I'm not sure how to alter that info anyway...any ideas?

 

I can't find anything in regards to X-PHP or the admin directory. I'm using grid hosting via GoDaddy for my host.

 

Peace,

Chris

Link to comment
Share on other sites

  • 5 months later...

Okay I am getting confused when i read through this thread so I am going to post up what I did and someone please tell me if it is right or not. And if its wrong what I need to do to make it right.

 

in admin/mail.php I added the following to the end of the file right before the last ?> (because I didn't see where it was stated to put this code)

 

// before sending mail, change PHP_SELF to hide admin dir from mail header
$tempvar = $HTTP_SERVER_VARS['PHP_SELF'];
$HTTP_SERVER_VARS['PHP_SELF'] = "/mail.php";
while ($mail = tep_db_fetch_array($mail_query)) {
  $mimemessage->send($mail['customers_firstname'] . ' ' . $mail['customers_lastname'], $mail['customers_email_address'], '', $from, $subject);
}
$HTTP_SERVER_VARS['PHP_SELF'] = $tempvar;

 

Then in admin/order.php

 

I found

tep_mail($check_status['customers_name'], $check_status['customers_email_address'], EMAIL_TEXT_SUBJECT, $email, STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS);

 

and replaced it with

// Before sending mail, chg PHP_SELF to hide admin dir from mail header
$tempvar = $HTTP_SERVER_VARS['PHP_SELF'];
$HTTP_SERVER_VARS['PHP_SELF'] = "/mail.php";
//**********ORIGINAL CODE**************
tep_mail($check_status['customers_name'], $check_status['customers_email_address'], EMAIL_TEXT_SUBJECT, $email, STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS);
//**********END ORIGIANL CODE**********
$HTTP_SERVER_VARS['PHP_SELF'] = $tempvar;
//End Modification to email header

 

Is that correct and is that all that needs to be done to prevent any instance of the renamed admin folder name appearing in emails?

 

Btw, this is for a 2.3.1 shop

Link to comment
Share on other sites

same here i dont know were to put the code here is my admin/orders file if someone can tell mere were i need to add the code please..

 

<?php
/*
 $Id: mail.php,v 1.1 2004/06/08 14:23:14 esf Exp $
 osCommerce, Open Source E-Commerce Solutions
 http://www.oscommerce.com
 Copyright (c) 2003 osCommerce
 Released under the GNU General Public License
*/
 require('includes/application_top.php');
 $action = (isset($HTTP_GET_VARS['action']) ? $HTTP_GET_VARS['action'] : '');
 if ( ($action == 'send_email_to_user') && isset($HTTP_POST_VARS['customers_email_address']) && !isset($HTTP_POST_VARS['back_x']) ) {
   switch ($HTTP_POST_VARS['customers_email_address']) {
  case '***':
    $mail_query = tep_db_query("select customers_firstname, customers_lastname, customers_email_address from " . TABLE_CUSTOMERS);
    $mail_sent_to = TEXT_ALL_CUSTOMERS;
    break;
  case '**D':
    $mail_query = tep_db_query("select customers_firstname, customers_lastname, customers_email_address from " . TABLE_CUSTOMERS . " where customers_newsletter = '1'");
    $mail_sent_to = TEXT_NEWSLETTER_CUSTOMERS;
    break;
  default:
    $customers_email_address = tep_db_prepare_input($HTTP_POST_VARS['customers_email_address']);
    $mail_query = tep_db_query("select customers_firstname, customers_lastname, customers_email_address from " . TABLE_CUSTOMERS . " where customers_email_address = '" . tep_db_input($customers_email_address) . "'");
    $mail_sent_to = $HTTP_POST_VARS['customers_email_address'];
    break;
   }
   $from = tep_db_prepare_input($HTTP_POST_VARS['from']);
   $subject = tep_db_prepare_input($HTTP_POST_VARS['subject']);
   $message = tep_db_prepare_input($HTTP_POST_VARS['message']);
   //Let's build a message object using the email class
   $mimemessage = new email(array('X-Mailer: osCommerce'));
   // add the message to the object

// MaxiDVD Added Line For WYSIWYG HTML Area: BOF (Send TEXT Email when WYSIWYG Disabled)
   if (HTML_AREA_WYSIWYG_DISABLE_EMAIL == 'Disable') {
   $mimemessage->add_text($message);
   } else {
   $mimemessage->add_html($message);
   }
// MaxiDVD Added Line For WYSIWYG HTML Area: EOF (Send HTML Email when WYSIWYG Enabled)
   $mimemessage->build_message();
   while ($mail = tep_db_fetch_array($mail_query)) {
  $mimemessage->send($mail['customers_firstname'] . ' ' . $mail['customers_lastname'], $mail['customers_email_address'], '', $from, $subject);
   }
   tep_redirect(tep_href_link(FILENAME_MAIL, 'mail_sent_to=' . urlencode($mail_sent_to)));
 }
 if ( ($action == 'preview') && !isset($HTTP_POST_VARS['customers_email_address']) ) {
   $messageStack->add(ERROR_NO_CUSTOMER_SELECTED, 'error');
 }
 if (isset($HTTP_GET_VARS['mail_sent_to'])) {
   $messageStack->add(sprintf(NOTICE_EMAIL_SENT_TO, $HTTP_GET_VARS['mail_sent_to']), 'success');
 }
?>
<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN">
<html <?php echo HTML_PARAMS; ?>>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=<?php echo CHARSET; ?>">
<title><?php echo TITLE; ?></title>
<link rel="stylesheet" type="text/css" href="includes/stylesheet.css">
   <script language="JavaScript">
<!-- Begin
   function init() {
define('customers_email_address', 'string', 'Customer or Newsletter Group');
}
//  End -->
</script>
</head>
<body OnLoad="init()" marginwidth="0" marginheight="0" topmargin="0" bottommargin="0" leftmargin="0" rightmargin="0" bgcolor="#FFFFFF">
<!-- header //-->
<?php require(DIR_WS_INCLUDES . 'header.php'); ?>
<!-- header_eof //-->
<!-- body //-->
<table border="0" width="100%" cellspacing="2" cellpadding="2">
 <tr>
   <td width="<?php echo BOX_WIDTH; ?>" valign="top"><table border="0" width="<?php echo BOX_WIDTH; ?>" cellspacing="1" cellpadding="1" class="columnLeft">
<!-- left_navigation //-->
<?php require(DIR_WS_INCLUDES . 'column_left.php'); ?>
<!-- left_navigation_eof //-->
   </table></td>
<!-- body_text //-->
   <td width="100%" valign="top"><table border="0" width="100%" cellspacing="0" cellpadding="0">
  <tr>
    <td width="100%"><table border="0" width="100%" cellspacing="0" cellpadding="0">
	  <tr>
	    <td class="pageHeading"><?php echo HEADING_TITLE; ?></td>
	    <td class="pageHeading" align="right"><?php echo tep_draw_separator('pixel_trans.gif', HEADING_IMAGE_WIDTH, HEADING_IMAGE_HEIGHT); ?></td>
	  </tr>
    </table></td>
  </tr>
  <tr>
    <td><table border="0" width="100%" cellspacing="0" cellpadding="2">
<?php
 if ( ($action == 'preview') && isset($HTTP_POST_VARS['customers_email_address']) ) {
   switch ($HTTP_POST_VARS['customers_email_address']) {
  case '***':
    $mail_sent_to = TEXT_ALL_CUSTOMERS;
    break;
  case '**D':
    $mail_sent_to = TEXT_NEWSLETTER_CUSTOMERS;
    break;
  default:
    $mail_sent_to = $HTTP_POST_VARS['customers_email_address'];
    break;
   }
?>
	  <tr><?php echo tep_draw_form('mail', FILENAME_MAIL, 'action=send_email_to_user'); ?>
	    <td><table border="0" width="100%" cellpadding="0" cellspacing="2">
		  <tr>
		    <td><?php echo tep_draw_separator('pixel_trans.gif', '1', '10'); ?></td>
		  </tr>
		  <tr>
		    <td class="smallText"><b><?php echo TEXT_CUSTOMER; ?></b><br><?php echo $mail_sent_to; ?></td>
		  </tr>
		  <tr>
		    <td><?php echo tep_draw_separator('pixel_trans.gif', '1', '10'); ?></td>
		  </tr>
		  <tr>
		    <td class="smallText"><b><?php echo TEXT_FROM; ?></b><br><?php echo htmlspecialchars(stripslashes($HTTP_POST_VARS['from'])); ?></td>
		  </tr>
		  <tr>
		    <td><?php echo tep_draw_separator('pixel_trans.gif', '1', '10'); ?></td>
		  </tr>
		  <tr>
		    <td class="smallText"><b><?php echo TEXT_SUBJECT; ?></b><br><?php echo htmlspecialchars(stripslashes($HTTP_POST_VARS['subject'])); ?></td>
		  </tr>
		  <tr>
		    <td><?php echo tep_draw_separator('pixel_trans.gif', '1', '10'); ?></td>
		  </tr>
		  <tr>
		    <td class="smallText"><b><?php echo TEXT_MESSAGE; ?></b><br><?php if (HTML_AREA_WYSIWYG_DISABLE_EMAIL == 'Enable') { echo (stripslashes($HTTP_POST_VARS['message'])); } else { echo htmlspecialchars(stripslashes($HTTP_POST_VARS['message'])); } ?></td>
		  </tr>
		  <tr>
		    <td><?php echo tep_draw_separator('pixel_trans.gif', '1', '10'); ?></td>
		  </tr>
		  <tr>
		    <td>
<?php
/* Re-Post all POST'ed variables */
   reset($HTTP_POST_VARS);
   while (list($key, $value) = each($HTTP_POST_VARS)) {
  if (!is_array($HTTP_POST_VARS[$key])) {
    echo tep_draw_hidden_field($key, htmlspecialchars(stripslashes($value)));
  }
   }
?>
			    <tr>
			    <td align="right"><?php echo '<a href="' . tep_href_link(FILENAME_MAIL) . '">' . tep_image_button('button_cancel.gif', IMAGE_CANCEL) . '</a> ' . tep_image_submit('button_send_mail.gif', IMAGE_SEND_EMAIL); ?></td>
			    </tr>
			    <td class="smallText">
		    <?php if (HTML_AREA_WYSIWYG_DISABLE_EMAIL == 'Disable'){echo tep_image_submit('button_back.gif', IMAGE_BACK, 'name="back"');
		    } ?><?php if (HTML_AREA_WYSIWYG_DISABLE_EMAIL == 'Disable') {echo(TEXT_EMAIL_BUTTON_HTML);
			 } else { echo(TEXT_EMAIL_BUTTON_TEXT); } ?>
			    </td>
			  </tr>
		    </table></td>
		 </tr>
	    </table></td>
	  </form></tr>


<?php
 } else {
?>
	  <tr><?php echo tep_draw_form('mail', FILENAME_MAIL, 'action=preview'); ?>
	    <td><table border="0" cellpadding="0" cellspacing="2">
		  <tr>
		    <td colspan="2"><?php echo tep_draw_separator('pixel_trans.gif', '1', '10'); ?></td>
		  </tr>
<?php
   $customers = array();
   $customers[] = array('id' => '', 'text' => TEXT_SELECT_CUSTOMER);
   $customers[] = array('id' => '***', 'text' => TEXT_ALL_CUSTOMERS);
   $customers[] = array('id' => '**D', 'text' => TEXT_NEWSLETTER_CUSTOMERS);
   $mail_query = tep_db_query("select customers_email_address, customers_firstname, customers_lastname from " . TABLE_CUSTOMERS . " order by customers_lastname");
   while($customers_values = tep_db_fetch_array($mail_query)) {
  $customers[] = array('id' => $customers_values['customers_email_address'],
					   'text' => $customers_values['customers_lastname'] . ', ' . $customers_values['customers_firstname'] . ' (' . $customers_values['customers_email_address'] . ')');
   }
?>
		  <tr>
		    <td class="main"><?php echo TEXT_CUSTOMER; ?></td>
		    <td><?php echo tep_draw_pull_down_menu('customers_email_address', $customers, (isset($HTTP_GET_VARS['customer']) ? $HTTP_GET_VARS['customer'] : ''));?></td>
		  </tr>
		  <tr>
		    <td colspan="2"><?php echo tep_draw_separator('pixel_trans.gif', '1', '10'); ?></td>
		  </tr>
		  <tr>
		    <td class="main"><?php echo TEXT_FROM; ?></td>
		    <td><?php echo tep_draw_input_field('from', EMAIL_FROM); ?></td>
		  </tr>
		  <tr>
		    <td colspan="2"><?php echo tep_draw_separator('pixel_trans.gif', '1', '10'); ?></td>
		  </tr>
		  <tr>
		    <td class="main"><?php echo TEXT_SUBJECT; ?></td>
		    <td><?php echo tep_draw_input_field('subject'); ?></td>
		  </tr>
		  <tr>
		    <td colspan="2"><?php echo tep_draw_separator('pixel_trans.gif', '1', '10'); ?></td>
		  </tr>
		  <tr>
		    <td valign="top" class="main"><?php echo TEXT_MESSAGE; ?></td>
		    <td><?php echo tep_draw_fckeditor('message', 'soft', FCK_EDITOR_WIDTH, FCK_EDITOR_HEIGHT,''); ?></td>
		  </tr>
		  <tr>
		    <td colspan="2"><?php echo tep_draw_separator('pixel_trans.gif', '1', '10'); ?></td>
		  </tr>
		  <tr>


		    <td colspan="2" align="right">
			 <?php if (HTML_AREA_WYSIWYG_DISABLE_EMAIL == 'Enable'){ echo tep_image_submit('button_send_mail.gif', IMAGE_SEND_EMAIL, 'onClick="validate();return returnVal;"');
			   } else {
		    echo tep_image_submit('button_send_mail.gif', IMAGE_SEND_EMAIL); }?>
		    </td>


		  </tr>
	    </table></td>
	  </form></tr>
<?php
 }
?>
<!-- body_text_eof //-->
    </table></td>
  </tr>
   </table></td>
 </tr>
</table>
<!-- body_eof //-->
<!-- footer //-->
<?php require(DIR_WS_INCLUDES . 'footer.php'); ?>
<!-- footer_eof //-->
<br>
</body>
</html>
<?php require(DIR_WS_INCLUDES . 'application_bottom.php'); ?>

Link to comment
Share on other sites

@@ggrant3

 

I did this a while ago and dug up my notes on the install. I did this on my 2.2 RC2a and 2.3.1 shops.

 

I did test emails before and after the mods were installed to make sure all worked. I recommend you do the same.

 

Keep back ups of course, just in case.

 

You'll see a couple options at the end for code. I had a couple of folks helping me back when and both folks took a different approach. Either should work.

 

So the following isn't my stuff, it's from folks who helped me. See my signature. :)

 

Another tip, after the mod, compare your original file and the modded file with a file compare, just to make sure you actually did what you intended to do.

 

Here's my notes:

 

 

From this thread:

 

http://www.oscommerce.com/forums/topic/312606-remove-x-php-script/page__st__20

 

In admin/mail.php

 

From

 

while ($mail = tep_db_fetch_array($mail_query)) {

$mimemessage->send($mail['customers_firstname'] . ' ' . $mail['customers_lastname'], $mail['customers_email_address'], '', $from, $subject);

}

 

to

 

// before sending mail, change PHP_SELF to hide admin dir from mail header

$tempvar = $HTTP_SERVER_VARS['PHP_SELF'];

$HTTP_SERVER_VARS['PHP_SELF'] = "/mail.php";

while ($mail = tep_db_fetch_array($mail_query)) {

$mimemessage->send($mail['customers_firstname'] . ' ' . $mail['customers_lastname'], $mail['customers_email_address'], '', $from, $subject);

}

$HTTP_SERVER_VARS['PHP_SELF'] = $tempvar;

 

In admin/orders.php

 

From

 

tep_mail($check_status['customers_name'], $check_status['customers_email_address'], EMAIL_TEXT_SUBJECT, $email, STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS);

 

to

 

$tempvar = $PHP_SELF;

$HTTP_SERVER_VARS['PHP_SELF'] = "/mail.php";

tep_mail($check_status['customers_name'], $check_status['customers_email_address'], EMAIL_TEXT_SUBJECT, $email, STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS);

$PHP_SELF = $tempvar;

 

alternate code for admin/orders.php

 

// Before sending mail, chg PHP_SELF to hide admin dir from mail header

 

$tempvar = $HTTP_SERVER_VARS['PHP_SELF'];

$HTTP_SERVER_VARS['PHP_SELF'] = "/mail.php";

 

//**********ORIGINAL CODE**************

tep_mail($check_status['customers_name'], $check_status['customers_email_address'], EMAIL_TEXT_SUBJECT, $email, STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS);

//**********END ORIGIANL CODE**********

 

$HTTP_SERVER_VARS['PHP_SELF'] = $tempvar;

 

//End Modification to email header

I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can.

I remember what it was like when I first started with osC. It can be overwhelming.

However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc.

There are several good pros here on osCommerce. Look around, you'll figure out who they are.

Link to comment
Share on other sites

@@missery

 

The code you provided must be from a different version than what I have so I don't know if what I posted above will be of much help.

I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can.

I remember what it was like when I first started with osC. It can be overwhelming.

However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc.

There are several good pros here on osCommerce. Look around, you'll figure out who they are.

Link to comment
Share on other sites

@@missery

 

The code you provided must be from a different version than what I have so I don't know if what I posted above will be of much help.

 

Ok mate no problem, thanks for the reply, appreciated

best regards

Link to comment
Share on other sites

  • 2 weeks later...

@@ggrant3

 

I did this a while ago and dug up my notes on the install. I did this on my 2.2 RC2a and 2.3.1 shops.

 

I did test emails before and after the mods were installed to make sure all worked. I recommend you do the same.

 

Keep back ups of course, just in case.

 

You'll see a couple options at the end for code. I had a couple of folks helping me back when and both folks took a different approach. Either should work.

 

So the following isn't my stuff, it's from folks who helped me. See my signature. :)

 

Another tip, after the mod, compare your original file and the modded file with a file compare, just to make sure you actually did what you intended to do.

 

Here's my notes:

 

Alright, I tried that, and when I did, I lost my email function from the web site. When I went through the admin control panel to send out an email, the page was blank. I've also noticed, it appears that I can't send or receive emails through the site. I am lost at this, and wondering if it is all tied together somehow. I have set the files stated above, back to the original way for now, till I can figure out what went wrong.

Link to comment
Share on other sites

@@missery

 

The code you provided must be from a different version than what I have so I don't know if what I posted above will be of much help.

 

I Just tested your code

 

From this thread:
http://www.oscommerce.com/forums/topic/312606-remove-x-php-script/page__st__20
In admin/mail.php
From
while ($mail = tep_db_fetch_array($mail_query)) {
$mimemessage->send($mail['customers_firstname'] . ' ' . $mail['customers_lastname'], $mail['customers_email_address'], '', $from, $subject);
}
to
// before sending mail, change PHP_SELF to hide admin dir from mail header
$tempvar = $HTTP_SERVER_VARS['PHP_SELF'];
$HTTP_SERVER_VARS['PHP_SELF'] = "/mail.php";
while ($mail = tep_db_fetch_array($mail_query)) {
$mimemessage->send($mail['customers_firstname'] . ' ' . $mail['customers_lastname'], $mail['customers_email_address'], '', $from, $subject);
}
$HTTP_SERVER_VARS['PHP_SELF'] = $tempvar;
In admin/orders.php
From
tep_mail($check_status['customers_name'], $check_status['customers_email_address'], EMAIL_TEXT_SUBJECT, $email, STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS);
to
$tempvar = $PHP_SELF;
$HTTP_SERVER_VARS['PHP_SELF'] = "/mail.php";
tep_mail($check_status['customers_name'], $check_status['customers_email_address'], EMAIL_TEXT_SUBJECT, $email, STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS);
$PHP_SELF = $tempvar;
alternate code for admin/orders.php
// Before sending mail, chg PHP_SELF to hide admin dir from mail header
$tempvar = $HTTP_SERVER_VARS['PHP_SELF'];
$HTTP_SERVER_VARS['PHP_SELF'] = "/mail.php";
//**********ORIGINAL CODE**************
tep_mail($check_status['customers_name'], $check_status['customers_email_address'], EMAIL_TEXT_SUBJECT, $email, STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS);
//**********END ORIGIANL CODE**********
$HTTP_SERVER_VARS['PHP_SELF'] = $tempvar;
//End Modification to email header

 

and this seems to be working fine for me now, i am still able to send emails and order updates so everything looks fine, thankyou

 

regards

Link to comment
Share on other sites

I'm afraid the ealier fix for removing X-PHP-Script may no longer work as hosts have got wise to it.

 

The reason hosts add X-PHP-Script is so they can easily track the source of any spam sent from thier servers.

 

There is a more comprehensive method to prevent X-PHP-Script showing your path:

 

$hide=array('PHP_SELF' => '','SCRIPT_FILENAME' => '','REQUEST_URI' => '','SCRIPT_NAME' => '');
			while (list($key,) = each($hide))
			{
				$hide[$key] = $_SERVER[$key];
				$_SERVER[$key] = '/';
			}	
			mail($to, $subject, $message, $headers, $returnpath);
			reset($hide);
			while (list($key,) = each($hide)) $_SERVER[$key] = $hide[$key];

 

That removes the path from all the server vars that it appears in so preventing the hosts script adding it to X-PHP-Script

 

 

However, the story doesn't end there, if you send mail to another domain (not just to your own) some additional headers may appear: x-source, x-source-args and x-source-dir which also show the path even with the above mod, unless someone can find where these additional vars get their data it makes the removal from X-PHP-Script pointless.

 

The only other solution is to have your mail script in your root, redirect there to send then redirect back on completion, though that seems rather 'clunky' I don't see another way.

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

@@spooks

 

Firstly welcome back!

 

I took this up with my hosting company, and they are on board with the issue and have taken it up with the cpanel developers to see if the script can be changed so as to not point to a specific directory.

 

We will see...........

Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Link to comment
Share on other sites

@@Mort-lemur

 

Thanks, Its good to be back. :)

 

Yes I am surprised they seem happy to reveal such info to all and sundry. :blink:

 

It wouldn't be hard for them to simply encode some or all of it if they feel it essential.

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

  • 1 month later...

I haven't read whole thread, so I may be repeating someone else's answer.

 

There are 2 ways.

 

way 1: you have access to php.ini file

open: php.ini file

find: mail.add_x_header

set to: Off

restart server

 

way 2: you do not have any access to php.ini

open: .htaccess file

add at the end: php_flag mail.add_x_header off

you may want to do that in .htaccess files located in both: catalog and admin

 

NOTE:

I have heard (thou not tested) that some servers may have problems with above set to off - just test it by sending some emails to your own accounts - e.g. google, yahoo, something other ...

Link to comment
Share on other sites

  • 4 weeks later...

I haven't read whole thread, so I may be repeating someone else's answer.

 

way 2: you do not have any access to php.ini

open: .htaccess file

add at the end: php_flag mail.add_x_header off

you may want to do that in .htaccess files located in both: catalog and admin

 

NOTE:

I have heard (thou not tested) that some servers may have problems with above set to off - just test it by sending some emails to your own accounts - e.g. google, yahoo, something other ...

 

Just as an FYI, I tried that on my 2.3.1 site (hosted by HostPapa) and it barfed with a "500 Internal Server Error" message.

 

Regards,

 

Chris

Link to comment
Share on other sites

  • 1 month later...

Hi all,

 

Im just wondering if anyone has found a workable solutioin to this problem. I have attempted all the fixes listed in this thread for both my old 2.2rca shop and my new 2.3.2 (newly upgraded store), and as I have found out they no longer work.

 

Any tips, tricks or advice would be appreciated.

 

Cheers!

Link to comment
Share on other sites

Hi,

 

I can’t pretend to understand too much of what is going on here, I was confused because looking at the headers of the emails sent from my store I couldn’t anything untoward.

 

After reading item #246 by jeffz2011 I checked admin>tools>server info (osc 2.3.1 but probably the same in 2.2?), under the section CONFIGURATION>core there is a “mail.add_x_header” (fortunately the items are in alphabetic order), mine is set to “off”, maybe that is why some see the problem and some don’t?

 

Regarding implementation of any change to hide the admin directory, might it be marginally easier to put it in the tep_mail function in general.php? Either which way, the proposal by jeffz2011 seems to be the better option if it can be implemented.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...