Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Exposing Admin Folder Name in Emails


trier

Recommended Posts

    osC – bs Gold.    PHP 5.6.32 and
    osC – latest bs.   PHP 7.1.6
  
Hi, There are several old threads discussing the ‘X-PHP-Script’ & ‘X-PHP-Filename’ email headers exposing the admin folder name in emails sent from within admin. Previously it wasn’t too much of an issue, ‘mail.add_x_header’ in php.ini set to “off”  and the recommended $_SERVER['PHP_SELF'] temporary overwrite both appeared to stop the problem.
 
Recently when checking emails sent from admin, although both live & test site has ‘mail.add_x_header’ set to “off” and the $_SERVER['PHP_SELF'] overwrite in place, the 'X-PHP-Script' & 'X-PHP-Filename' are present and showing the admin folder name.
 
I tried a temporary overwrite of every item in $_SERVER that showed the script name - no affect. I have now changed admin/includes/classes/email.php line 520 & 522 from ‘return email(....’  to ‘return imap_mail(....’. I far as I can see the ’X-PHP-Script’ & ‘X-PHP-Filename’ headers are no longer present, all other headers are the same (only tried it with E-Mail Transport Method = sendmail (not with smtp)).
 
Questions:
1) Has anyone else found their admin folder name is now being exposed in email headers?
2) What is the impact of using the PHP ‘imap_mail’ function in place of the ‘mail’ function?
 
Link to comment
Share on other sites

It has always been that way and is a known way for hackers to obtain the admin name. Who knows how many use that approach but I know that many will create accounts on a site and that might be one of the reasons they do it since they will receive emails from admin. Here is the code I use. In admin/includes/functions/general.php, find these lines:

    // Instantiate a new mail object
    $message = new email(array('X-Mailer: osCommerce'));

Change osCommerce above to your shop name, or whatever you want.

Add these before the above:

  $oldphpself = $_SERVER['PHP_SELF'];
  $oldremoteaddr = $_SERVER['REMOTE_ADDR'];

  $_SERVER['PHP_SELF'] = "/mail.php";
  $_SERVER['REMOTE_ADDR'] = $_SERVER['SERVER_ADDR'];

Find this line

    $message->send($to_name, $to_email_address, $from_email_name, $from_email_address, $email_subject);
    

And add these below it:

  // restore obfuscated server variables
  $_SERVER['PHP_SELF'] = $oldphpself;
  $_SERVER['REMOTE_ADDR'] = $oldremoteaddr;

Then send an email from admin and make sure it is working.

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

Hi, Thank you for your comment. In addition to mail.add_x_header’  = ‘off’ in php.ini, that is effectively what I had in place. Just to make sure, I did a copy & paste using your suggested changes. The outcome is still the same, ‘X-PHP-Script’ & ‘X-PHP-Script’ both include the admin folder name when sending emails from status update in admin/orders.php (I altered $email_subject within tep_mail to make sure I’d changed the correct area).
 
Although I am seeing this on 2 different hosted sites, I presume no-one else is experiencing the same?
 
For now I will continue using the imap_mail PHP function in place of the mail function in admin/includes/classes/email.php > send. All testing so far suggests that ‘X-PHP-Script’ & ‘X-PHP-Script’ headers are not present when sending by imap_mail and nothing detrimental is apparent (yet?).
 
Link to comment
Share on other sites

16 hours ago, Harald Ponce de Leon said:

Can you please confirm that the  value is set to Off on the Admin -> Tools -> Server Info page. The expose_php value should also be set to Off.

mail.add_x_header is set to off however expose_php is set to on.

This is on a shared server with a reputable hosting company.

Live shop Phoenix 1.0.8.4 on PHP 7.4 Working my way up the versions.

Link to comment
Share on other sites

@mhsuffolk, create a file on your webserver and copy the following code to it, replacing your@email_address with your working email address. Request the file with your browser to send a test email. If the php filename is still being shown in the email headers, you will need to contact your hosting provider to get them to fix it for you on their end.

<?php
mail('your@email_address', 'Test Subject', 'Test Message');

echo 'Sent!';
?>

 

:heart:, osCommerce

Link to comment
Share on other sites

6 minutes ago, Harald Ponce de Leon said:

@mhsuffolk, create a file on your webserver and copy the following code to it, replacing your@email_address with your working email address. Request the file with your browser to send a test email. If the php filename is still being shown in the email headers, you will need to contact your hosting provider to get them to fix it for you on their end.


<?php
mail('your@email_address', 'Test Subject', 'Test Message');

echo 'Sent!';
?>

 

I have tried that and the admin directory no longer shows. The email has come from the root name of my server at the hosting company rather than my stores email address and now instead of /admin/mail.php I have /test.php in the two X-PHP lines. I named the new file test.php

Live shop Phoenix 1.0.8.4 on PHP 7.4 Working my way up the versions.

Link to comment
Share on other sites

Just now, mhsuffolk said:

I have tried that and the admin directory no longer shows. The email has come from the root name of my server at the hosting company rather than my stores email address and now instead of /admin/mail.php I have /test.php in the two X-PHP lines. I named the new file test.php

Yep, if you move that file to your admin directory, the admin path will be added to the email headers.

This is something only your hosting provider can fix. It would be best to send them an inquiry on how to get it fixed. The test code is using the native PHP mail() function and does not contain any osCommerce code or configuration.

:heart:, osCommerce

Link to comment
Share on other sites

 

6 hours ago, Harald Ponce de Leon said:

This is something only your hosting provider can fix. It would be best to send them an inquiry on how to get it fixed. The test code is using the native PHP mail() function and does not contain any osCommerce code or configuration.

My host will not help as I am on a shared server. They suggested an htaccess solution which did not work.

On 24/11/2017 at 11:39 AM, trier said:
I have now changed admin/includes/classes/email.php line 520 & 522 from ‘return email(....’  to ‘return imap_mail(....’. I far as I can see the ’X-PHP-Script’ & ‘X-PHP-Filename’ headers are no longer present, all other headers are the same (only tried it with E-Mail Transport Method = sendmail (not with smtp)).

I have tried this and it works.

Is there anything detrimental is this approach as it seems too easy.

Live shop Phoenix 1.0.8.4 on PHP 7.4 Working my way up the versions.

Link to comment
Share on other sites

29 minutes ago, mhsuffolk said:

They suggested an htaccess solution which did not work.

I don't know if expose_php could fix the problem - this setting can only be disabled in the php.ini file and not in a htaccess file. This is why only your hosting provider can change that value. This is noted in the PHP documentation:

http://php.net/manual/en/ini.core.php

32 minutes ago, mhsuffolk said:

I have tried this and it works.

Is there anything detrimental is this approach as it seems too easy.

I don't know. If it works for you it may be an alternative solution.

:heart:, osCommerce

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...