I've see that in mail header is show, after the subject:
X-PHP-Script: www. my_domain.com/xxxxx/newsletters.php for 192.168.142.126
where xxxxx is my admin directory.
To prevent site disaster, it's possible delete or mask this information?
I've see that in mail header is show, after the subject:
X-PHP-Script: www. my_domain.com/xxxxx/newsletters.php for 192.168.142.126
where xxxxx is my admin directory.
To prevent site disaster, it's possible delete or mask this information?
If you're using PHP 5.3, you might try adding this to your /admin/.htaccess file:
Granted, this deals with the "X-PHP-Originating-Script" header, and NOT the "X-PHP-Script" header.Code:#turn off X-PHP-Originating-Script header when sending emails from admin php_flag mail.add_x_header Off
.
Zen Cart - putting the dream of business ownership within reach of anyone!
Donate to: DrByte directly or to the Zen Cart team as a whole
Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.
When sending emails from the admin the mails include the full path to the admin dir.
(Checked for order updates and email customer.)
When inspecting the source of the email i find the following information:
-------------------------------------------------------------------------------------
To: [email protected]
Subject: test
X-PHP-Script: www.xxx.xx/test/junk/mail.php for xx.xxx.xxx.xxx
Date: Sun, 21 Nov 2010 16:36:50 +0100
-------------------------------------------------------------------------------------
This is different from the old language pack problem reported earlier.
Right.
That's because your hosting company has configured PHP to send those headers, because it helps them track down spammers if rogue scripts on the server send out spam and the emails get reported.
It's a long-standing known issue.
You have two options:
a) Tell your hosting company that you don't care about their spam controls and get them to turn it off.
or
b) Change your Zen Cart configuration to use SMTPAUTH for the Email Transport Protocol instead of PHP. Be sure to fill in all the SMTP settings as well, else it won't work.
Option (b) is the best approach, since it has the side-benefit of having your emails much less likely treated as spam when they're received.
.
Zen Cart - putting the dream of business ownership within reach of anyone!
Donate to: DrByte directly or to the Zen Cart team as a whole
Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.
Thanks for making this clear setting the shop to smtpauth fixed it.
Saved me a lot of unneeded digging in the code.
May i conclude that it would be better to avoid this php setting if possible.
NOTE: Using the SMTP method mentioned earlier is preferred.
Alternatively, if you wish to add files that will need to be deleted when upgrading to a future release, you could add these files to your site to have it mask that information when sending emails when the PHP transport method is selected:
Unzip and upload the included files to the corresponding locations.
- /includes/classes/class.email_headers_obfuscator_139.php
and
- /(your renamed) admin/includes/auto_loaders/config.email_headers_obfuscator_139.php
- /includes/auto_loaders/config.email_headers_obfuscator_139.php
Yes: that same file needs to be uploaded to BOTH locations.
*disclaimer: this observer implementation has not been directly tested, although the actions it performs have tested fine. Apologies if you encounter problems using it. Again, the SMTP approach is FAR MORE BENEFICIAL even beyond just addressing this particular matter.
.
Zen Cart - putting the dream of business ownership within reach of anyone!
Donate to: DrByte directly or to the Zen Cart team as a whole
Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.
Bookmarks