zeppo Posted November 24, 2015 Share Posted November 24, 2015 The PHP mail() function adds X-PHP-Script to the mail header which include the URL of the PHP-file that called the function and IP of the sending user. This is potentially a vulnerability as emails sent from the osC admin then will show the name of the admin directory giving away this to potential attackers. E.x. "X-PHP-Script: www.sto.re/admin/mail.php for 44.126.34.18" Can sometimes be inhibited by adding mail.add_x_header = "0" to php.ini, but not with all hosts if seems. Cheers, zeppo Link to comment Share on other sites More sharing options...
MrPhil Posted December 4, 2015 Share Posted December 4, 2015 In recent PHP builds, it appears that someone decided to switch it "on" (1) by default. If mail.add_x_header=0 (or some syntactical variant) doesn't work in php.ini/httpd.conf or an ini_set() call, talk with your host and explain how important it is to you to suppress the admin directory name in emails. If they won't cooperate, find another host. Link to comment Share on other sites More sharing options...
multimixer Posted December 4, 2015 Share Posted December 4, 2015 Gary (@@burt) posted a solution some time back, can't find it again, so here is what I use, e.g. in admin/orders.php // BOF email headers fix $tempvar = $PHP_SELF; $HTTP_SERVER_VARS['PHP_SELF'] = "/mail.php"; tep_mail($check_status['customers_name'], $check_status['customers_email_address'], EMAIL_TEXT_SUBJECT, $email, STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS); $PHP_SELF = $tempvar; // EOF email headers fix Same can be done for other tep_mail() in admin My community profile | Template system for osCommerce - New: Responsive | Feedback channel Link to comment Share on other sites More sharing options...
Sam-AUST Posted July 19, 2016 Share Posted July 19, 2016 Gary (@@burt) posted a solution some time back, can't find it again, so here is what I use, e.g. in admin/orders.php // BOF email headers fix $tempvar = $PHP_SELF; $HTTP_SERVER_VARS['PHP_SELF'] = "/mail.php"; tep_mail($check_status['customers_name'], $check_status['customers_email_address'], EMAIL_TEXT_SUBJECT, $email, STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS); $PHP_SELF = $tempvar; // EOF email headers fix Same can be done for other tep_mail() in admin Does this still work for you @@multimixer and is this code simply inserted into the admin/orders.php file? Can you tell me what other files require it? Link to comment Share on other sites More sharing options...
MrPhil Posted July 19, 2016 Share Posted July 19, 2016 Interesting. So mail() simply outputs the PHP_SELF setting, and you can fake it with whatever you want? Even "None of your business!" might work? If the mail.add_x_header setting doesn't work, the PHP_SELF trick (everywhere that mail() is called) might be worth trying. Actually, it would be a good idea not to call mail() directly, except in one utility routine, so that all mail attempts can be treated the same way with common code. Link to comment Share on other sites More sharing options...
Sam-AUST Posted July 19, 2016 Share Posted July 19, 2016 @@MrPhil I've been at it all day with my webhost (of 10+ years), due to a shared hosting environment, they will not turn the headers off, so my only solution is one of these other work-arounds. The ability to hide your admin is one of the things I've already appreciated about oscommerce, my host showing it to the world really has me :x Link to comment Share on other sites More sharing options...
MrPhil Posted July 19, 2016 Share Posted July 19, 2016 So does either the mail.add_x_header setting or the PHP_SELF trick work for you? I'm not surprised that your host would refuse to globally turn off the headers for everyone, so you'll have to find your own way, if there is one. To answer your earlier question, this code would be applied any place mail() is called. You'll have to do a search of your code for mail() calls. Of course, try the mail.add_x_header setting first, and if it doesn't work, try PHP_SELF in one place and see if it works. If that also doesn't work, we'll have to think of something else. Possibly using (or creating) a tep_mail() call located outside of your admin directory, so the URL given is hopefully harmless. Link to comment Share on other sites More sharing options...
multimixer Posted July 20, 2016 Share Posted July 20, 2016 @@Sam-AUST Yes, it work fine, you basically "fake" the PHP_SELF value, send the mail and set it back again My community profile | Template system for osCommerce - New: Responsive | Feedback channel Link to comment Share on other sites More sharing options...
Sam-AUST Posted July 31, 2016 Share Posted July 31, 2016 @@MrPhil and @@multimixer - it didn't work for me at all, order update emails to gmail still show the full source directory (admin). Link to comment Share on other sites More sharing options...
trier Posted August 19, 2016 Share Posted August 19, 2016 I have found the following seems to work (should cover all emails sent from within admin?) :- admin/includes/functions/general.php function tep_mail (line 1179ish) at the start (after if (SEND_EMAILS != 'true') return false;) add $self = $_SERVER['PHP_SELF']; $_SERVER['PHP_SELF'] = "/mail.php"; at the end (before closing }) add $_SERVER['PHP_SELF'] = $self; Maybe someone more knowledgeable can comment on the placement/viability of this – often things appear to work but they hide/mask/create other faults. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.