Jump to content

Archived

This topic is now archived and is closed to further replies.

Black Jack 21

Remove X-PHP-SCRIPT

Recommended Posts

Hi,

 

i've often read about renaming admin folder for security reasons. Unfortunately, the admin folder name is written in every e-mails send by order.php in the X-PHP-SCRIPT statement.

 

Is there any idea to remove the X-PHP-SCRIPT line from the e-mail header?

 

 

Black Jack 21

Share this post


Link to post
Share on other sites

I think it would come from includes/classes/mime.php There is one in the catalog and another mime file in the admin.

Share this post


Link to post
Share on other sites

Does anyone have a definite answer for it? Does this X-PHP-Script header originate from the OSC code or the sendmail server itself? Cause I took a look at the mime class files and I didn't find anything relevant...

Share this post


Link to post
Share on other sites

I can't see any reference to the admin folder name in any email.


The Coopco Underwear Shop

 

If you live to be 100 years of age, that means you have lived for 36,525 days. Don't waste another, there aren't many left.

Share this post


Link to post
Share on other sites

So this means that the X-PHP-Script header comes from the mail server itself and there's no use in meddling with the OSC source code?

Share this post


Link to post
Share on other sites

X-PHP-Originating-Script: 10143:email.php

 

I also got two emails with this in header just now. I did not touch thing. before is OK. What just happened?

Share this post


Link to post
Share on other sites

Hi,

 

i've often read about renaming admin folder for security reasons. Unfortunately, the admin folder name is written in every e-mails send by order.php in the X-PHP-SCRIPT statement.

 

Is there any idea to remove the X-PHP-SCRIPT line from the e-mail header?

 

 

Black Jack 21

 

Hi..

I think I've found a solution for this, but I (we) need help from someone with php programming skills.

This is what I find in messages now:

X-PHP-Script: emti.no/catalog/admin/mail.php for xx.xxx.xxx.xx

 

If we move the catalog/admin/mail.php to catalog/mail.php and do the programming needed for this, then you will get this in your message: (Same goes for orders.php)

X-PHP-Script: emti.no/catalog/mail.php for xx.xxx.xxx.xx

I did some small changes just to be able to test this.

 

Someone willing to do this job for us?


---------------

regards

sijo

---------------

 

Contrib: JMrating10 - Rate your products / osCommerce VTS - Virus & Threat Scanner

 

(osCommerce VTS now also checks for leading and trailing whitespace and also have a grep function)

Share this post


Link to post
Share on other sites

Hi..

I think I've found a solution for this, but I (we) need help from someone with php programming skills.

This is what I find in messages now:

X-PHP-Script: emti.no/catalog/admin/mail.php for xx.xxx.xxx.xx

 

If we move the catalog/admin/mail.php to catalog/mail.php and do the programming needed for this, then you will get this in your message: (Same goes for orders.php)

X-PHP-Script: emti.no/catalog/mail.php for xx.xxx.xxx.xx

I did some small changes just to be able to test this.

 

Someone willing to do this job for us?

I wouldn't do that. You want to open the file that gets exploited in the admin directory to access by one and all in a public directory, in order to hide the name of the admin directory? That's daft.

 

Security that relies just on hiding things, including the name of the admin directory, isn't real security. The fact that the path to the mailer appears in outgoing emails is a bit irritating, but even if someone who orders from your site receives an admin email and finds out what you are calling your admin directory, assuming you have changed it from the default to help avoid exploits on the files it contains, still if you have properly secured it they will not be able to exploit those files.


www.jyoshna.com. Currently using OsC with STS, Super Download Store, Categories Descriptons, Manufacturers Description, Individual Item Status, Infopages unlimited, Product Sort, Osplayer with flashmp3player, Product Tabs 2.1 with WebFx Tabpane and other bits and pieces including some I made myself. Many thanks to all whose contributions I have used!

Share this post


Link to post
Share on other sites

Hi,

 

I know this is an old thread, but I just stumbled across it.

 

Basically I fully agree that renaming your admin is by no means sufficient, make your site as safe as you can following all the other good advices found on the forum. However, I also was a bit disconcerned about sending out the admin folder name with mails.

The solution is actually quite simple. First, the X-PHP-Script header originates from the mail function in PHP itself and is meant as a help to identify the real source of a mail to help against spamming. So far so good. It can be circumvented quite easily though. The mail function simply uses the $PHP_SELF variable for this, so it can easily be faked. In my case the admin/mail.php and admin/orders.php scripts are sending out mails (osCommerce MS2.2), so I did something like this (mail.php as example, do the same in orders.php):

// before sending mail, change PHP_SELF to hide admin dir from mail header
   $tempvar = $HTTP_SERVER_VARS['PHP_SELF'];
   $HTTP_SERVER_VARS['PHP_SELF'] = "/mail.php";
   while ($mail = tep_db_fetch_array($mail_query)) {
     $mimemessage->send($mail['customers_firstname'] . ' ' . $mail['customers_lastname'], $mail['customers_email_address'], '', $from, $subject);
   }
   $HTTP_SERVER_VARS['PHP_SELF'] = $tempvar;

Before sending the mail this stores the value of $PHP_SELF in a temporary variable, puts a false script name in there, and then restores the value after sending the mail. Now the name of the admin folder no more appears in the mail headers.

 

Best wishes

Reiner

Share this post


Link to post
Share on other sites

Hi,

 

I know this is an old thread, but I just stumbled across it.

 

Basically I fully agree that renaming your admin is by no means sufficient, make your site as safe as you can following all the other good advices found on the forum. However, I also was a bit disconcerned about sending out the admin folder name with mails.

The solution is actually quite simple. First, the X-PHP-Script header originates from the mail function in PHP itself and is meant as a help to identify the real source of a mail to help against spamming. So far so good. It can be circumvented quite easily though. The mail function simply uses the $PHP_SELF variable for this, so it can easily be faked. In my case the admin/mail.php and admin/orders.php scripts are sending out mails (osCommerce MS2.2), so I did something like this (mail.php as example, do the same in orders.php):

// before sending mail, change PHP_SELF to hide admin dir from mail header
   $tempvar = $HTTP_SERVER_VARS['PHP_SELF'];
   $HTTP_SERVER_VARS['PHP_SELF'] = "/mail.php";
   while ($mail = tep_db_fetch_array($mail_query)) {
     $mimemessage->send($mail['customers_firstname'] . ' ' . $mail['customers_lastname'], $mail['customers_email_address'], '', $from, $subject);
   }
   $HTTP_SERVER_VARS['PHP_SELF'] = $tempvar;

Before sending the mail this stores the value of $PHP_SELF in a temporary variable, puts a false script name in there, and then restores the value after sending the mail. Now the name of the admin folder no more appears in the mail headers.

 

Best wishes

Reiner

 

Hi Reiner,

 

This doesn't work for me... the X-Php remains visible... any idea or suggestions?

 

Regards,

Martijn

Share this post


Link to post
Share on other sites

Hi Reiner,

 

This doesn't work for me... the X-Php remains visible... any idea or suggestions?

 

Regards,

Martijn

Woops! I didn't see that the changed file didn't upload correctly. Works FINE for me!!! Thanks! :lol:

Share this post


Link to post
Share on other sites

Woops! I didn't see that the changed file didn't upload correctly. Works FINE for me!!! Thanks! :lol:

 

That really looks like a great idea. Any drawbacks?

 

It should be a contribution with easy cut and replace code so everyone could use it.

 

I have had some "fake orders" before, with names like aaaaaaaaa and addresses the same. Only to have hack attempts very soon after. They must wait for that email so they could read the headers and try to hack in.

Share this post


Link to post
Share on other sites

That really looks like a great idea. Any drawbacks?

 

It should be a contribution with easy cut and replace code so everyone could use it.

 

I have had some "fake orders" before, with names like aaaaaaaaa and addresses the same. Only to have hack attempts very soon after. They must wait for that email so they could read the headers and try to hack in.

 

No drawbacks so far. When I'm sending a mail right now, in the detailed header the X-PHP-script shows: http://www.mydomain.nl/mail.php, but you can set whatever name you like!

 

The code shown above is cut & replace in mail.php, but in order.php I still have to find out where to put it, because there is no such code in this file. As soon as/if it works I'll post my new code for order.php!

Share this post


Link to post
Share on other sites

where exactly in admin/mail.php do you put this code please? I'm really wanting to sort it for when I send out order update emails though.

 

Thanks


I'm feeling lucky today......maybe someone will answer my post!

I do try and answer a simple post when I can just to give something back.

------------------------------------------------

PM me? - I'm not for hire

Share this post


Link to post
Share on other sites

I have made the recommended change to the admin/mail.php file. Now, the admin directory does not appear in the email header for emails sent using the Send Email function in the admin.

 

I checked the order acknowledge email that is sent immediately after and order is submitted and the admin directory does not appear in the email headers.

 

However, I cannot find similar mail code in the admin/orders.php file to hide the admin directory in the email headers for order status update emails. Does anyone know how to hide the reference to the admin directory in order update emails?

Share this post


Link to post
Share on other sites

Well, it looks like the code used to send order update emails is in the admin/includes/functions/general.php.

 

  function tep_mail($to_name, $to_email_address, $email_subject, $email_text, $from_email_name, $from_email_address) {
   if (SEND_EMAILS != 'true') return false;

   // Instantiate a new mail object
   $message = new email(array('X-Mailer: osCommerce'));

   // Build the text version
   $text = strip_tags($email_text);
   if (EMAIL_USE_HTML == 'true') {
     $message->add_html($email_text, $text);
   } else {
     $message->add_text($text);
   }

   // Send message
   $message->build_message();
   $message->send($to_name, $to_email_address, $from_email_name, $from_email_address, $email_subject);
 }

 function tep_get_tax_class_title($tax_class_id) {
   if ($tax_class_id == '0') {
     return TEXT_NONE;
   } else {
     $classes_query = tep_db_query("select tax_class_title from " . TABLE_TAX_CLASS . " where tax_class_id = '" . (int)$tax_class_id . "'");
     $classes = tep_db_fetch_array($classes_query);

     return $classes['tax_class_title'];
   }
 }

 

Unfortunately, the code is not the same as in the mail.php file. After a couple of failed attempts to change it so the admin directory is not included in the email headers, I have conclusively determined that I don't know what I'm doing. :D

 

Does anyone know how to make the necessary changes?

Share this post


Link to post
Share on other sites

Exact same idea;

 

FROM THIS:

tep_mail($check_status['customers_name'], $check_status['customers_email_address'], EMAIL_TEXT_SUBJECT, $email, STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS);

 

TO THIS:

$tempvar = $PHP_SELF;
$HTTP_SERVER_VARS['PHP_SELF'] = "/mail.php";
tep_mail($check_status['customers_name'], $check_status['customers_email_address'], EMAIL_TEXT_SUBJECT, $email, STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS);
$PHP_SELF = $tempvar;


Help shape the future of Phoenix; join the Phoenix Club

Share this post


Link to post
Share on other sites

I used your example to amend the code as follows:

 

    // Send message
   $message->build_message();

// 7-1-11 code below added to prevent admin directory appearing in email headers in order update emails
// combined with code a couple of lines below
   $tempvar = $HTTP_SERVER_VARS['PHP_SELF'];
   $HTTP_SERVER_VARS['PHP_SELF'] = "/mail.php";
// 7-1-11 code below added to prevent admin directory appearing in email headers

   $message->send($to_name, $to_email_address, $from_email_name, $from_email_address, $email_subject);

// 7-1-11 code below added to prevent admin directory appearing in email headers in order update emails
// combined with code a couple of lines above
   $HTTP_SERVER_VARS['PHP_SELF'] = $tempvar;
// 7-1-11 code below added to prevent admin directory appearing in email headers

 }

 

However, the admin directory still appears in the email header.

Share this post


Link to post
Share on other sites

I used your example to amend the code as follows:

 

    // Send message
   $message->build_message();

// 7-1-11 code below added to prevent admin directory appearing in email headers in order update emails
// combined with code a couple of lines below
   $tempvar = $HTTP_SERVER_VARS['PHP_SELF'];
   $HTTP_SERVER_VARS['PHP_SELF'] = "/mail.php";
// 7-1-11 code below added to prevent admin directory appearing in email headers

   $message->send($to_name, $to_email_address, $from_email_name, $from_email_address, $email_subject);

// 7-1-11 code below added to prevent admin directory appearing in email headers in order update emails
// combined with code a couple of lines above
   $HTTP_SERVER_VARS['PHP_SELF'] = $tempvar;
// 7-1-11 code below added to prevent admin directory appearing in email headers

 }

 

However, the admin directory still appears in the email header.

 

You will have to do this in the orders.php file in the admin folder.

 

// Before sending mail, chg PHP_SELF to hide admin dir from mail header

 

$tempvar = $HTTP_SERVER_VARS['PHP_SELF'];

$HTTP_SERVER_VARS['PHP_SELF'] = "/mail.php";

 

//**********ORIGINAL CODE**************

tep_mail($check_status['customers_name'], $check_status['customers_email_address'], EMAIL_TEXT_SUBJECT, $email, STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS);

//**********END ORIGIANL CODE**********

 

$HTTP_SERVER_VARS['PHP_SELF'] = $tempvar;

 

//End Modification to email header

 

Locate the Original Code from above and locate it in the orders.php file. Copy everything starting at // Before and //End and replace over the original code in the orders.php file.

 

Hope this helps.

 

Mike


Do or Do Not, there is no try.

Share this post


Link to post
Share on other sites

Exact same idea;

 

FROM THIS:

tep_mail($check_status['customers_name'], $check_status['customers_email_address'], EMAIL_TEXT_SUBJECT, $email, STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS);

 

TO THIS:

$tempvar = $PHP_SELF;
$HTTP_SERVER_VARS['PHP_SELF'] = "/mail.php";
tep_mail($check_status['customers_name'], $check_status['customers_email_address'], EMAIL_TEXT_SUBJECT, $email, STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS);
$PHP_SELF = $tempvar;

 

Burt,

 

Should this be done to the checkout_process.php file as well? I know when you checkout you are sent a confirmation email. I do not know much about hacking but is there a chance from the checkout_process as well?

 

Thanks,

 

Mike


Do or Do Not, there is no try.

Share this post


Link to post
Share on other sites

email from checkout_process shoudn't show the admin path, so I don't think it's necessary.


Help shape the future of Phoenix; join the Phoenix Club

Share this post


Link to post
Share on other sites
Locate the Original Code from above and locate it in the orders.php file. Copy everything starting at // Before and //End and replace over the original code in the orders.php file.

 

That is what I originally intended to do - find code in the admin/orders.php file that looks similar to the code in the mail.php file and make the change. However, the code does not exist in the admin/orders.php file. I don't know from where status update emails are sent.

Share this post


Link to post
Share on other sites

OK, I think I found the code to change in admin/mail.php and admin/orders.php

 

I see a couple different approaches posted here, so I have question:

 

What's the difference between using

 

$tempvar = $PHP_SELF;

 

or

 

$tempvar = $HTTP_SERVER_VARS['PHP_SELF'];

 

in the code??

 

Thanks


I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can.

I remember what it was like when I first started with osC. It can be overwhelming.

However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc.

There are several good pros here on osCommerce. Look around, you'll figure out who they are.

Share this post


Link to post
Share on other sites

$PHP_SELF is already set (in /includes/application_top.php) so it is best to use that for consistency, in my opinion.


Help shape the future of Phoenix; join the Phoenix Club

Share this post


Link to post
Share on other sites

×