X-php-script Email Header

[Riley Dyen]

ThePHP mail() function adds X-PHP-Script to the mail header which include the URL of the PHP-file that called the function and IP of the sending user. This is potentially a vulnerability as emails sent from the osC admin then will show the name of the admin directory giving away this to potential attackers. E.x. "X-PHP-Script: www.sto.re/admin/mail.php for 44.126.34.18"

In recent PHP builds, it appears that someone decided to switch it "on" (1) by default. If mail.add_x_header=0 (or some syntactical variant) doesn't work in php.ini/httpd.conf or an ini_set() call, talk with your host and explain how important it is to you to suppress the admin directory name in emails. If they won't cooperate, find another host.

Interesting. So mail() simply outputs the PHP_SELF setting, and you can fake it with whatever you want? Even "None of your business!" might work? If the mail.add_x_header setting doesn't work, the PHP_SELF trick (everywhere that mail() is called) might be worth trying. Actually, it would be a good idea not to call mail() directly, except in one utility routine, so that all mail attempts can be treated the same way with common code.

So does either the mail.add_x_header setting or the PHP_SELF trick work for you? I'm not surprised that your host would refuse to globally turn off the headers for everyone, so you'll have to find your own way, if there is one.

To answer your earlier question, this code would be applied any place mail() is called. You'll have to do a search of your code for mail() calls. Of course, try the mail.add_x_header setting first, and if it doesn't work, try PHP_SELF in one place and see if it works. If that also doesn't work, we'll have to think of something else. Possibly using (or creating) a tep_mail() call located outside of your admin directory, so the URL given is hopefully harmless.

Not so long ago a patch was added to the PHP source code that, when mail is sent using the mail() function, has the effect of exposing both the script address on the server and the IP address of the remote user (the person submitting a contact form that sends email for example).

The logic behind this is clear. So many open source PHP applications have security holes allowing emails to be sent that it became necessary to find a way to identify the source. Before this patch it was not possible for the average user to do so, and certainly not for the recipient of spam sent using those techniques.

The problem is that, without much fanfare, many sites that are otherwise secure are having information about their technology and directory structure (the path to scripts in protected areas) and private IP addresses (the home of office IP address of the user) exposed every time a script is used that sends emails from the server.

Suggested solutions for those who don't want the X-PHP-Script mail headers to appear range from self-editing the patch to change the behaviour, to avoiding use of the PHP mail() function altogether. Not entirely useful.

So what could be simpler than overwriting those variables before the mail() function is called, and then restoring them afterwards. If you already use a wrapper for sending mail then this is a once-off change. Otherwise, if you call the mail() function directory from your scripts, you'll have to modify each instance.

You might also consider writing your own wrapper for the mail function that gives you the option of disabling X-PHP-Script for protected scripts, but allowing the default behaviour for public forms. That is beyond the scope of this article.

The add_x_header option is turned off by default, but can easily be enabled in the php.ini file, or on a per-site/-folder basis. You may not want to leave it on all the time, as by definition it reveals some info about the originating PHP script.

Note that the log file must be writable by the web server. Whether the server runs as a generic Apache user, or the site account, the log file must have the necessary write permissions. For temporary tracing, you can probably just give it world-writable permissions.

Spammers are at a bit of a disadvantage here. Most backdoor scripts that spammers use are simple attacks that go for the easiest targets. Limiting the source of email to a single language or piece of software forces them to attack through that vector. And with these techniques, you can zero in on the source within minutes.

There is a bit of code from mailchimp that I need to update in the header.php file. I have tried to find the header.php file to update in wordpress and get an error message. My header at the moment is:

Although, have you checked Email Forms that comes with X Theme. No need for codes It helps you to integrate Mailchimp account and website. Please refer following article and let us know how it goes:

Themeco Docs Email Forms Themeco DocsIn this article, we'll show you how to add email opt-in forms on any part of your website using our Email Forms Extension. While Email Forms allows you connect to ConvertKit and GetResponse email marketing software, this article will only be showing...

Thanks for the reply and suggestion to use the inbuilt email form. Unfortunately I need something that locks the download until the viewer has provided their email address. That is why I have been using Opt-in Panda.

Thanks for the suggestion. So would that classic protect allow the website viewer access to downloadable content as long as they provide me with an email address? Or is this a user log in type access?

The Classic Protect element will only give access to the protected content when the user log in to the site. If you want to get email list and for the downloadable contents, you may need to find other 3rd party plugin that offers the feature.

The additional headers indicate other recipients or copies of your message like CC or BCC. They can be an array where the key is a header name and the value is a header value. Or they can be a string. In this case, headers should be separated with a CRLF (\r\n).

You also need to go to the PHP file installation folder and configure the SMTP settings in the php.ini file. But this will only work for localhost or XAMPP-like solutions, because, as we have already mentioned, the PHP mail() function does not support SMTP authentication and does not allow sending messages via external servers.

Note: As the Mailtrap API Client uses PSR-18 client abstraction and is thus not hard coupled to any library that sends HTTP messages, it gives you the flexibility to choose which HTTP client you want to use.

To send an email with attachments, we can use the attachFromPath() method provided by the Symfony Mime Email class. It allows us to attach a file by specifying the path to the file.

Sending emails with an embedded image is also quite easy, as we can use the ->embed() method as part of the Email object. The method essentially allows us to include images directly within the HTML body of the email, which can be referenced through a Content-ID (CID).

But first, we need to set up our Bulk Stream. So, navigate to the SMTP/API Settings tab in your Mailtrap account and select API in the Bulk Stream window. There, you can find the host and API Token, which you need to copy and paste into your PHP script.

With Mailtrap Email Testing you can check, preview, and troubleshoot your emails before you send them out. Essentially, you can inspect HTML/CSS of your email and easily spot faulty lines of code and fix/remove them.

For more information about Mailtrap Email Testing API, its functionalities and the various operations it allows you to perform (e.g., Testing and QA Automation, testing automated sequences, etc.) please refer to the official documentation.

Since the beginning of January 2023, the BlackBerry Threat Research and Intelligence team has been following two parallel malicious campaigns that use the same infrastructure but have different purposes.

The first campaign is related to a malvertising Google Ads Platform campaign which began several months ago and distributed fake versions of legitimate software products like AnyDesk (remote desktop software), Libre Office (an open-source office productivity software suite), TeamViewer (remote access and remote-control software), and Brave (a free and open-source web browser) among others. The threat actors cloned the websites of these real products and then registered similar-sounding domains. Their goal is to seed malware on the endpoints of users who were hoping to download these products.

BlackBerry has observed similar campaigns in the past. For example, back in February, we witnessed a campaign where a threat actor impersonated a Colombian government tax agency to target key industries in Colombia, including health, financial, law enforcement, immigration, and an agency in charge of peace negotiation in the country.

Vidar is an infostealer malware family which operates as a malware-as-a-service (MaaS). Based on Arkei infostealer, Vidar has been active since at least 2018, and steals information and cryptocurrency from infected devices. In Norse mythology, Vidar is a god associated with vengeance.

IcedID is a banking Trojan and remote access Trojan (RAT) used mainly to steal banking credentials. Also known as BokBot, IcedID was discovered around 2017. It is a second-stage malware that relies on other first-stage malware families, such as Emotet, to gain initial access and deploy it.

Both malware families were distributed during the end of 2022 and the beginning of 2023 in a massive campaign. We observed this campaign abusing the Google Ads Platform, which promotes the websites associated with search inquirys and offers them among the first search results users encounter. This misleads people who then click on the fraudulent websites, believing them to be the legitimate ones. This helps the threat actors distribute malware.

One thing that caught our attention right away is the fact that the new registered domains are connected to a Spanish spear-phishing campaign we were already investigating, which used geofencing techniques to specifically target users based out of Spain only.

3a8082e126