Results 1 to 6 of 6
  1. #1
    Join Date
    Oct 2006
    Location
    Italy
    Posts
    634
    Plugin Contributions
    0

    red flag newsletter email header

    I've see that in mail header is show, after the subject:
    X-PHP-Script: www. my_domain.com/xxxxx/newsletters.php for 192.168.142.126

    where xxxxx is my admin directory.
    To prevent site disaster, it's possible delete or mask this information?

  2. #2
    Join Date
    Jan 2004
    Posts
    66,364
    Blog Entries
    7
    Plugin Contributions
    274

    Default Re: newsletter email header

    If you're using PHP 5.3, you might try adding this to your /admin/.htaccess file:
    Code:
    #turn off X-PHP-Originating-Script header when sending emails from admin
    php_flag mail.add_x_header Off
    Granted, this deals with the "X-PHP-Originating-Script" header, and NOT the "X-PHP-Script" header.
    .

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donate to: DrByte directly or to the Zen Cart team as a whole

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.

  3. #3
    Join Date
    Mar 2006
    Location
    Zevenbergen, NL
    Posts
    40
    Plugin Contributions
    0

    bug Re: Admin emails reveal the admin dir

    When sending emails from the admin the mails include the full path to the admin dir.
    (Checked for order updates and email customer.)

    When inspecting the source of the email i find the following information:
    -------------------------------------------------------------------------------------
    To: [email protected]
    Subject: test
    X-PHP-Script: www.xxx.xx/test/junk/mail.php for xx.xxx.xxx.xxx
    Date: Sun, 21 Nov 2010 16:36:50 +0100
    -------------------------------------------------------------------------------------

    This is different from the old language pack problem reported earlier.

  4. #4
    Join Date
    Jan 2004
    Posts
    66,364
    Blog Entries
    7
    Plugin Contributions
    274

    Default Re: Admin emails reveal the admin dir

    Right.
    That's because your hosting company has configured PHP to send those headers, because it helps them track down spammers if rogue scripts on the server send out spam and the emails get reported.

    It's a long-standing known issue.

    You have two options:
    a) Tell your hosting company that you don't care about their spam controls and get them to turn it off.

    or

    b) Change your Zen Cart configuration to use SMTPAUTH for the Email Transport Protocol instead of PHP. Be sure to fill in all the SMTP settings as well, else it won't work.

    Option (b) is the best approach, since it has the side-benefit of having your emails much less likely treated as spam when they're received.
    .

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donate to: DrByte directly or to the Zen Cart team as a whole

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.

  5. #5
    Join Date
    Mar 2006
    Location
    Zevenbergen, NL
    Posts
    40
    Plugin Contributions
    0

    Default Re: Admin emails reveal the admin dir

    Thanks for making this clear setting the shop to smtpauth fixed it.
    Saved me a lot of unneeded digging in the code.

    May i conclude that it would be better to avoid this php setting if possible.

  6. #6
    Join Date
    Jan 2004
    Posts
    66,364
    Blog Entries
    7
    Plugin Contributions
    274

    Default Re: [Done v1.5.0] Admin emails reveal the admin dir

    NOTE: Using the SMTP method mentioned earlier is preferred.

    Alternatively, if you wish to add files that will need to be deleted when upgrading to a future release, you could add these files to your site to have it mask that information when sending emails when the PHP transport method is selected:
    Unzip and upload the included files to the corresponding locations.

    - /includes/classes/class.email_headers_obfuscator_139.php
    and
    - /(your renamed) admin/includes/auto_loaders/config.email_headers_obfuscator_139.php
    - /includes/auto_loaders/config.email_headers_obfuscator_139.php

    Yes: that same file needs to be uploaded to BOTH locations.

    *disclaimer: this observer implementation has not been directly tested, although the actions it performs have tested fine. Apologies if you encounter problems using it. Again, the SMTP approach is FAR MORE BENEFICIAL even beyond just addressing this particular matter.
    Attached Files Attached Files
    .

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donate to: DrByte directly or to the Zen Cart team as a whole

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.

 

 

Similar Threads

  1. Replies: 7
    Last Post: 28 Jul 2013, 03:18 AM
  2. Admin Page Alert after Admin Dir name change
    By shocker in forum Basic Configuration
    Replies: 3
    Last Post: 28 Oct 2011, 05:36 AM
  3. Tip: Email Long Headers Reveal Name of Admin Folder
    By Pixxi in forum General Questions
    Replies: 1
    Last Post: 15 Jul 2007, 02:51 AM
  4. Replies: 2
    Last Post: 3 Sep 2006, 03:34 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
disjunctive-egg
Zen-Cart, Internet Selling Services, Klamath Falls, OR