Obfuscate X-Php-Originating-Script

php security email email-headers
Ragamffn picture Ragamffn · Mar 15, 2013 · Viewed 8.3k times · Source

If there is no access to php.ini (assume php -v >= 5.3 & mail.add_x_header = 1), or a way to patch mail, is there a way to change the X-Php-Originating-Script header when using php's mail() function?

The little research I did indicated that altering $_SERVER['PHP_SELF'] prior to calling mail() would do the trick, however this did not work for me.

I also tried setting X-Php-Originating-Script directly, this resulted in an additional 'X-Php-Originating-Script' header.

The goal in this case is to prevent recipients of said email to gleam details on script nomenclature.

Thanks!

Answer

Night Owl picture Night Owl · Aug 5, 2014

According to the PHP Manual (PHP Manual >> Function Reference >> Mail Related Extensions >> Mail >> Installing/Configuring) that header can be turned off using php.ini or .htaccess file which would prevent anyone from gleaning information from your mail headers without you having access to your php.ini file.

The setting to turn it off is:

mail.add_x_header bool

Add X-PHP-Originating-Script that will include UID of the script followed by the filename.

which would make the actual line needed to disable it:

 mail.add_x_header 0

This setting is flagged with the PHP_INI_PERDIR mode (Available since PHP 5.3.0). PHP_INI_PERDIR means that the "Entry can be set in php.ini, .htaccess, httpd.conf or .user.ini (since PHP 5.3)."

For .htaccess:

php_flag mail.add_x_header Off

I have not personally tested this so YMMV.

Related questions

How to sanitze user input in PHP before mailing?

I have a simple PHP mailer script that takes values from a form submitted via POST and mails them to me: <?php $to = "[email protected]"; $name = $_POST['name']; $message = $_POST['message']; $email = $_POST['email']; $body = "Person $name submitted …

Read More
How can I prevent SQL injection in PHP?

If user input is inserted without modification into an SQL query, then the application becomes vulnerable to SQL injection, like in the following example: $unsafe_variable = $_POST['user_input']; mysql_query("INSERT INTO `table` (`column`) VALUES ('$unsafe_variable')"); That's …

Read More
How can I sanitize user input with PHP?

Is there a catchall function somewhere that works well for sanitizing user input for SQL injection and XSS attacks, while still allowing certain types of HTML tags?

Read More