Obfuscate X-Php-Originating-Script

Question

If there is no access to php.ini (assume php -v >= 5.3 & mail.add_x_header = 1), or a way to patch mail, is there a way to change the X-Php-Originating-Script header when using php's mail() function?

The little research I did indicated that altering $_SERVER['PHP_SELF'] prior to calling mail() would do the trick, however this did not work for me.

I also tried setting X-Php-Originating-Script directly, this resulted in an additional 'X-Php-Originating-Script' header.

The goal in this case is to prevent recipients of said email to gleam details on script nomenclature.

Thanks!

Answer 1

According to the PHP Manual (PHP Manual >> Function Reference >> Mail Related Extensions >> Mail >> Installing/Configuring) that header can be turned off using php.ini or .htaccess file which would prevent anyone from gleaning information from your mail headers without you having access to your php.ini file.

The setting to turn it off is:

mail.add_x_header bool

Add X-PHP-Originating-Script that will include UID of the script followed by the filename.

which would make the actual line needed to disable it:

 mail.add_x_header 0

This setting is flagged with the PHP_INI_PERDIR mode (Available since PHP 5.3.0). PHP_INI_PERDIR means that the "Entry can be set in php.ini, .htaccess, httpd.conf or .user.ini (since PHP 5.3)."

For .htaccess:

php_flag mail.add_x_header Off

I have not personally tested this so YMMV.

Answer 2

Well, if we check out the source code for the mail() function, we can see it's hard-coded in there:

if (headers != NULL) {
    spprintf(&hdr, 0, "X-PHP-Originating-Script: %ld:%s\n%s", php_getuid(), f, headers);
} else {
    spprintf(&hdr, 0, "X-PHP-Originating-Script: %ld:%s\n", php_getuid(), f);
}

So, it's hard-coded to put in the uid. But let's see where that takes us.

• php_getuid() just returns a a variable after calling php_statpage()
• php_statpage() just proxies to sapi_get_stat()
• sapi_get_stat() basically proxies again to the SAPI module.

Now, you should understand that the SAPI is basically a polymorphic way of different server APIs communicating with PHP. So if we look at a few SAPIs:

• mod_php with Apache

  This just returns the finfo construct that apache passes it. No chance to modify it (it's not an environmental variable). It comes directly from apache. So no luck.

• FPM

  This doesn't even implement sapi_get_stat(). So the default behavior is still run (which is a basic stat of the current path).

So the short answer is no, it's not possible without patching PHP's core...

Answer 3

This might not be the most elegant solution but it is the one that works for sure.

You can hook PHP mail function by setting wrapper script in php.ini instead of sendmail:

sendmail_path = /usr/local/bin/php_mail_wrapper

Then in the script iself you can do something like this:

#!/usr/bin/php
<?php

$sendmail_path = '/usr/sbin/sendmail';
$handle = fopen('php://stdin', 'r');
$mail = '';

while ($mail_line = fgets($handle)) {
    if (preg_match('/^X-PHP-Originating-Script:/i', $mail_line)) {
        continue;
    }
    $mail .= $mail_line;
}

$cmd = 'echo ' . escapeshellarg($mail) . ' | ' . $sendmail_path . ' -t -i';
return shell_exec($cmd);

?>

Credit for the idea goes to: How to hook PHP mail function