[atomic] PHP 5.2.9-2

[scott]

Changelog:

- Added mail-header patch, this adds a header indicating what script invoked the mail() function. Useful for tracking spam

Example output on mail sent through php:
X-PHP-Script: example.com/test.php for 10.11.12.13

If you're trying to track down the source of spam from PHP scripts this would be invaluable. Many thanks to ikk on #plesk for pointing this patch out to me.

To upgrade:

yum upgrade php

[hostingguy]

kick ass!!!

[faris]

Shame it can't log them though. I imagine you could do this with qmail wrapper, using the info in the header, but it would be nice to have it built-in.

Faris.

[Kalimari]

This is very useful, improved logging would be good and it would be nice to be able to disable it on certain paths - not found a way yet - as not all web forms are at risk and outgoing messages with /paths/to/scripts in the mail header is a slight vulnerability in itself.

Anyway, the benefits far out way the drawbacks... Nice addition!

[hostingguy]

I dont think its /full/path/script.php - from scotts description it is vhost/web/path/to/script.php
Something that most people who are visiting the form would probably already know.

[Kalimari]

Thanks hostingguy - I realise that, should have been clearer - it shows domain/path/to/script. We make use PHP mail via CMS (for e-commerce/newsletters) and all these messages will now contain the domain/path/to/cms and admin users IP, which provides the recipient with a lot of information.

[hostingguy]

what can they really do with that ?

[scott]

If you see more patches like this, please let me know. Theres always room for improvement!

[Kalimari]

what can they really do with that ?

Nothing specific, but want to avoid being the lowest hanging fruit. Security through obscurity is one aspect of risk management & damage limitation and while I'm not loosing sleep over this additional header - it's useful - if there is a way to disable it for certain parts of our web service, we will.