#293 X-Source-Dir header with full path disclosure

2.2
open
nobody
None
5
2010-11-05
2010-09-16
Mikhail Miguel
No

Hi! All emails sent by XC's sendmail contains the following email headers: X-Source, X-Source-Args: (generally /usr/bin/php in linux) and X-Source-Dir. The main problem is the X-Source-Dir, an header with a full path disclosure of the script used to send the mail. This presents a security problem since certain directories and scripts should never be known to anyone but the Webmaster. The problem is compounded if the user are using a shared hosting (and most users uses it).

Discussion

  • Mikhail Miguel
    Mikhail Miguel
    2010-09-17

    Oops! I wrote "Sendmail" but I meant "PHPMailer".

     
  • Mikhail Miguel
    Mikhail Miguel
    2010-11-05

    Now I'm not sure if it is about a PHPMailer config problem or a Server/PHP config problem...

     
  • Mikhail Miguel
    Mikhail Miguel
    2010-11-05

    • summary: X-Source-Dir header with full path disclosure --> X-Source-Dir header with full path disclosure