Page 1 of 1

php mail headers - X-PHP-Script

Posted: Sat Nov 28, 2009 8:55 am
by jeffz2010
At some point a patch was added to php allowing identification of a rogue script sending spam (for instance).
It looks (in sent mail headers) something like this:

Code: Select all

X-PHP-Script http://www.domain.co.uk/mailscript.php for [sending IP]
Is there a way to hide, or modify this part: "www.domain.co.uk/", say to ... some id number - meaningless to outsider, but serving as resource locator for eg. admin looking for source of trouble?
Does php allows that?

If yes, how it is done?
Anyone knows?

regards,

Jeff

Re: php mail headers - X-PHP-Script

Posted: Sat Nov 28, 2009 2:44 pm
by daedalus__
are you parsing logs?

look up string functions and regular expressions.

Re: php mail headers - X-PHP-Script

Posted: Sat Nov 28, 2009 6:23 pm
by jeffz2010
daedalus__ wrote:are you parsing logs?
look up string functions and regular expressions.
Its not that.
To my taste, it reveals a vital info (e.g. directory structure) to a potential bad guy.
e.g. recent exploit decimating osCommerce based systems - to start with.
It prevents developer from hiding e.g. admin section location, also it defeats any active hide/seek solution.
Patch was intended to show, which script is out of line, but in this form it is just dangerous advert of system's underbelly.

I wonder if instead of:

Code: Select all

X-PHP-Script http://www.domain.co.uk/mailscript.php for [sending IP]
one would be able to:

Code: Select all

X-PHP-Script [internal_id_number]/mailscript.php for [sending IP]
[internal_id_number] is more than enough to locate out-of-line script (if name alone is not enough).

Re: php mail headers - X-PHP-Script

Posted: Sat Nov 28, 2009 7:26 pm
by daedalus__
well... you'll have to find a way to change the header. the hard drive on my development machine took a crap today so i can't really experiment.

you couldddd change the patch :)

Code: Select all

 
                strcpy(headers2, "X-PHP-Script: ");
        strcat(headers2, Z_STRVAL_PP(server_name));
        strcat(headers2, Z_STRVAL_PP(php_self));
        strcat(headers2, " for ");
        if (forwarded_for) {
            strcat(headers2, Z_STRVAL_PP(forwarded_for));
            strcat(headers2, ", ");
        }
        strcat(headers2, Z_STRVAL_PP(remote_addr));
 
those lines