PHP mail() adding X-PHP-Script to header exposing admin dir

[zeppo 0]

The PHP mail() function adds X-PHP-Script to the mail header which include the URL of the PHP-file that called the function and IP of the sending user. This is potentially a vulnerability as emails sent from the osC admin then will show the name of the admin directory giving away this to potential attackers. E.x. "X-PHP-Script: www.sto.re/admin/mail.php for 44.126.34.18"

 

Can sometimes be inhibited by adding mail.add_x_header = "0" to php.ini, but not with all hosts if seems.

 

Cheers,

  zeppo

[MrPhil 646]

In recent PHP builds, it appears that someone decided to switch it "on" (1) by default. If mail.add_x_header=0 (or some syntactical variant) doesn't work in php.ini/httpd.conf or an ini_set() call, talk with your host and explain how important it is to you to suppress the admin directory name in emails. If they won't cooperate, find another host.

[♥multimixer 325]

Gary (@@burt) posted a solution some time back, can't find it again, so here is what I use, e.g. in admin/orders.php

            // BOF email headers fix
            $tempvar = $PHP_SELF;
            $HTTP_SERVER_VARS['PHP_SELF'] = "/mail.php";
            tep_mail($check_status['customers_name'], $check_status['customers_email_address'], EMAIL_TEXT_SUBJECT, $email, STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS);
            $PHP_SELF = $tempvar;
            // EOF email headers fix

Same can be done for other tep_mail() in admin

[Sam-AUST 5]

Gary (@@burt) posted a solution some time back, can't find it again, so here is what I use, e.g. in admin/orders.php

            // BOF email headers fix
            $tempvar = $PHP_SELF;
            $HTTP_SERVER_VARS['PHP_SELF'] = "/mail.php";
            tep_mail($check_status['customers_name'], $check_status['customers_email_address'], EMAIL_TEXT_SUBJECT, $email, STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS);
            $PHP_SELF = $tempvar;
            // EOF email headers fix

Same can be done for other tep_mail() in admin

 

Does this still work for you @@multimixer and is this code simply inserted into the admin/orders.php file? Can you tell me what other files require it?

[MrPhil 646]

Interesting. So mail() simply outputs the PHP_SELF setting, and you can fake it with whatever you want? Even "None of your business!" might work? If the mail.add_x_header setting doesn't work, the PHP_SELF trick (everywhere that mail() is called) might be worth trying. Actually, it would be a good idea not to call mail() directly, except in one utility routine, so that all mail attempts can be treated the same way with common code.

[Sam-AUST 5]

@@MrPhil I've been at it all day with my webhost (of 10+ years), due to a shared hosting environment, they will not turn the headers off, so my only solution is one of these other work-arounds.

 

The ability to hide your admin is one of the things I've already appreciated about oscommerce, my host showing it to the world really has me  :x

[MrPhil 646]

So does either the mail.add_x_header setting or the PHP_SELF trick work for you? I'm not surprised that your host would refuse to globally turn off the headers for everyone, so you'll have to find your own way, if there is one.

 

To answer your earlier question, this code would be applied any place mail() is called. You'll have to do a search of your code for mail() calls. Of course, try the mail.add_x_header setting first, and if it doesn't work, try PHP_SELF in one place and see if it works. If that also doesn't work, we'll have to think of something else. Possibly using (or creating) a tep_mail() call located outside of your admin directory, so the URL given is hopefully harmless.

[♥multimixer 325]

@@Sam-AUST

 

Yes, it work fine, you basically "fake" the PHP_SELF value, send the mail and set it back again

[Sam-AUST 5]

@@MrPhil and @@multimixer - it didn't work for me at all, order update emails to gmail still show the full source directory (admin).

[trier 3]

I have found the following seems to work (should cover all emails sent from within admin?) :-

 

admin/includes/functions/general.php

 

    function tep_mail  (line 1179ish)

 

        at the start (after  if (SEND_EMAILS != 'true') return false;) add

 

            $self = $_SERVER['PHP_SELF'];

            $_SERVER['PHP_SELF']  =  "/mail.php";

 

 

        at the end (before closing }) add

 

            $_SERVER['PHP_SELF'] = $self;

 

 

Maybe someone more knowledgeable can comment on the placement/viability of this – often things appear to work but they hide/mask/create other faults.