Jump to content

Archived

This topic is now archived and is closed to further replies.

zeppo

PHP mail() adding X-PHP-Script to header exposing admin dir

Recommended Posts

The PHP mail() function adds X-PHP-Script to the mail header which include the URL of the PHP-file that called the function and IP of the sending user. This is potentially a vulnerability as emails sent from the osC admin then will show the name of the admin directory giving away this to potential attackers. E.x. "X-PHP-Script: www.sto.re/admin/mail.php for 44.126.34.18"

 

Can sometimes be inhibited by adding mail.add_x_header = "0" to php.ini, but not with all hosts if seems.

 

Cheers,

  zeppo

Share this post


Link to post
Share on other sites

In recent PHP builds, it appears that someone decided to switch it "on" (1) by default. If mail.add_x_header=0 (or some syntactical variant) doesn't work in php.ini/httpd.conf or an ini_set() call, talk with your host and explain how important it is to you to suppress the admin directory name in emails. If they won't cooperate, find another host.

Share this post


Link to post
Share on other sites

Gary (@@burt) posted a solution some time back, can't find it again, so here is what I use, e.g. in admin/orders.php

            // BOF email headers fix
            $tempvar = $PHP_SELF;
            $HTTP_SERVER_VARS['PHP_SELF'] = "/mail.php";
            tep_mail($check_status['customers_name'], $check_status['customers_email_address'], EMAIL_TEXT_SUBJECT, $email, STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS);
            $PHP_SELF = $tempvar;
            // EOF email headers fix

Same can be done for other tep_mail() in admin

Share this post


Link to post
Share on other sites

Gary (@@burt) posted a solution some time back, can't find it again, so here is what I use, e.g. in admin/orders.php

            // BOF email headers fix
            $tempvar = $PHP_SELF;
            $HTTP_SERVER_VARS['PHP_SELF'] = "/mail.php";
            tep_mail($check_status['customers_name'], $check_status['customers_email_address'], EMAIL_TEXT_SUBJECT, $email, STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS);
            $PHP_SELF = $tempvar;
            // EOF email headers fix

Same can be done for other tep_mail() in admin

 

Does this still work for you @@multimixer and is this code simply inserted into the admin/orders.php file? Can you tell me what other files require it?

Share this post


Link to post
Share on other sites

Interesting. So mail() simply outputs the PHP_SELF setting, and you can fake it with whatever you want? Even "None of your business!" might work? If the mail.add_x_header setting doesn't work, the PHP_SELF trick (everywhere that mail() is called) might be worth trying. Actually, it would be a good idea not to call mail() directly, except in one utility routine, so that all mail attempts can be treated the same way with common code.

Share this post


Link to post
Share on other sites

@@MrPhil I've been at it all day with my webhost (of 10+ years), due to a shared hosting environment, they will not turn the headers off, so my only solution is one of these other work-arounds.

 

The ability to hide your admin is one of the things I've already appreciated about oscommerce, my host showing it to the world really has me  :x

Share this post


Link to post
Share on other sites

So does either the mail.add_x_header setting or the PHP_SELF trick work for you? I'm not surprised that your host would refuse to globally turn off the headers for everyone, so you'll have to find your own way, if there is one.

 

To answer your earlier question, this code would be applied any place mail() is called. You'll have to do a search of your code for mail() calls. Of course, try the mail.add_x_header setting first, and if it doesn't work, try PHP_SELF in one place and see if it works. If that also doesn't work, we'll have to think of something else. Possibly using (or creating) a tep_mail() call located outside of your admin directory, so the URL given is hopefully harmless.

Share this post


Link to post
Share on other sites
I have found the following seems to work (should cover all emails sent from within admin?) :-
 
admin/includes/functions/general.php
 
    function tep_mail  (line 1179ish)
 
        at the start (after  if (SEND_EMAILS != 'true') return false;) add
 
            $self = $_SERVER['PHP_SELF'];
            $_SERVER['PHP_SELF']  =  "/mail.php";
 
 
        at the end (before closing }) add
 
            $_SERVER['PHP_SELF'] = $self;
 
 
Maybe someone more knowledgeable can comment on the placement/viability of this – often things appear to work but they hide/mask/create other faults.

 

Share this post


Link to post
Share on other sites

×