zeppo 0 Posted November 24, 2015 The PHP mail() function adds X-PHP-Script to the mail header which include the URL of the PHP-file that called the function and IP of the sending user. This is potentially a vulnerability as emails sent from the osC admin then will show the name of the admin directory giving away this to potential attackers. E.x. "X-PHP-Script: www.sto.re/admin/mail.php for 44.126.34.18" Can sometimes be inhibited by adding mail.add_x_header = "0" to php.ini, but not with all hosts if seems. Cheers, zeppo Share this post Link to post Share on other sites
MrPhil 646 Posted December 4, 2015 In recent PHP builds, it appears that someone decided to switch it "on" (1) by default. If mail.add_x_header=0 (or some syntactical variant) doesn't work in php.ini/httpd.conf or an ini_set() call, talk with your host and explain how important it is to you to suppress the admin directory name in emails. If they won't cooperate, find another host. Share this post Link to post Share on other sites
♥multimixer 325 Posted December 4, 2015 Gary (@@burt) posted a solution some time back, can't find it again, so here is what I use, e.g. in admin/orders.php // BOF email headers fix $tempvar = $PHP_SELF; $HTTP_SERVER_VARS['PHP_SELF'] = "/mail.php"; tep_mail($check_status['customers_name'], $check_status['customers_email_address'], EMAIL_TEXT_SUBJECT, $email, STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS); $PHP_SELF = $tempvar; // EOF email headers fix Same can be done for other tep_mail() in admin My community profile | Template system for osCommerce - New: Responsive | Feedback channel Share this post Link to post Share on other sites
Sam-AUST 5 Posted July 19, 2016 Gary (@@burt) posted a solution some time back, can't find it again, so here is what I use, e.g. in admin/orders.php // BOF email headers fix $tempvar = $PHP_SELF; $HTTP_SERVER_VARS['PHP_SELF'] = "/mail.php"; tep_mail($check_status['customers_name'], $check_status['customers_email_address'], EMAIL_TEXT_SUBJECT, $email, STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS); $PHP_SELF = $tempvar; // EOF email headers fix Same can be done for other tep_mail() in admin Does this still work for you @@multimixer and is this code simply inserted into the admin/orders.php file? Can you tell me what other files require it? Share this post Link to post Share on other sites
MrPhil 646 Posted July 19, 2016 Interesting. So mail() simply outputs the PHP_SELF setting, and you can fake it with whatever you want? Even "None of your business!" might work? If the mail.add_x_header setting doesn't work, the PHP_SELF trick (everywhere that mail() is called) might be worth trying. Actually, it would be a good idea not to call mail() directly, except in one utility routine, so that all mail attempts can be treated the same way with common code. Share this post Link to post Share on other sites
Sam-AUST 5 Posted July 19, 2016 @@MrPhil I've been at it all day with my webhost (of 10+ years), due to a shared hosting environment, they will not turn the headers off, so my only solution is one of these other work-arounds. The ability to hide your admin is one of the things I've already appreciated about oscommerce, my host showing it to the world really has me :x Share this post Link to post Share on other sites
MrPhil 646 Posted July 19, 2016 So does either the mail.add_x_header setting or the PHP_SELF trick work for you? I'm not surprised that your host would refuse to globally turn off the headers for everyone, so you'll have to find your own way, if there is one. To answer your earlier question, this code would be applied any place mail() is called. You'll have to do a search of your code for mail() calls. Of course, try the mail.add_x_header setting first, and if it doesn't work, try PHP_SELF in one place and see if it works. If that also doesn't work, we'll have to think of something else. Possibly using (or creating) a tep_mail() call located outside of your admin directory, so the URL given is hopefully harmless. Share this post Link to post Share on other sites
♥multimixer 325 Posted July 20, 2016 @@Sam-AUST Yes, it work fine, you basically "fake" the PHP_SELF value, send the mail and set it back again My community profile | Template system for osCommerce - New: Responsive | Feedback channel Share this post Link to post Share on other sites
Sam-AUST 5 Posted July 31, 2016 @@MrPhil and @@multimixer - it didn't work for me at all, order update emails to gmail still show the full source directory (admin). Share this post Link to post Share on other sites
trier 3 Posted August 19, 2016 I have found the following seems to work (should cover all emails sent from within admin?) :- admin/includes/functions/general.php function tep_mail (line 1179ish) at the start (after if (SEND_EMAILS != 'true') return false;) add $self = $_SERVER['PHP_SELF']; $_SERVER['PHP_SELF'] = "/mail.php"; at the end (before closing }) add $_SERVER['PHP_SELF'] = $self; Maybe someone more knowledgeable can comment on the placement/viability of this – often things appear to work but they hide/mask/create other faults. Share this post Link to post Share on other sites