Warm Greetings from ZNetLive!
This is to inform you that due to rising spamming activities, we have decided to disable the PHP mail() Function. It will be effective from February 15, 2016.
Description: By using PHP mail() function, you are sending emails even when you are not logged into your email account.
We will disable PHP mail()Function to protect ZNetLive’s reseller servers’s IP reputation.
Disablement Date: Monday, February 15, 2016.
Get to know about two vulnerabilities in mail() PHP Function:
- The first one allows to execute any program/script bypassing safe_mode restriction.
- The second one may give an open-relay script when mail() function is not carefully used in PHP scripts.
(1) Bypassing safe_mode restriction:
If PHP is configured with safe_mode option enabled, special restriction are set up including limit on external binaries that may be executed from within a PHP script. The 5th argument to the mail() function (introduced in version 4.0.5) allows specifying command line option to the sendmail binary. Some time ago, a bug was found in the mail() function allowing to pass shell meta-characters in the 5th argument, leading to execute arbitrary shell commands or external binaries. This bug was fixed in version 4.1.0.
However, mail() function is still vulnerable because it allows to pass command line arguments to the sendmail binary which gives the ability to influence its behavior (i.e. by using non-default aliases, custom configuration files – other cases are possible with others MTAs).
Passing 5th argument should be disabled if PHP is configured in safe_mode.
(2) Injecting ASCII control characters into mail() arguments:
Arbitrary ASCII control characters may be injected into string arguments of mail() function. If mail() arguments are taken from user’s input it may give the user ability to alter message content including mail headers. Example of such a vulnerability may be found on PHP.net website: http://www.php.net/mailing-lists.php?
Expectations from you: Disabling mail function would not cause problem to those who are genuine users and do not spam.
Use SMTP authentication in your mailing scripts to send emails and do consult with your developer to implement SMTP authentication in your mailing scripts.
If you are using WordPress, simply use SMTP authentication plugins.
For other websites, here is a sample code for you:
/* mail setup recipients, subject etc */
$recipients = “email@example.com”;
$headers[“From”] = “firstname.lastname@example.org”
;$headers[“To”] = “email@example.com”;
$headers[“Subject”] = “User feedback”;
$mailmsg = “Hello, This is a test using SMTP authentication.”;
/* SMTP server name, port, user/passwd */
$smtpinfo[“host”] = “ssl://server.hostname”;
$smtpinfo[“port”] = “465”;
$smtpinfo[“auth”] = true;
$smtpinfo[“username”] = “firstname.lastname@example.org”;
$smtpinfo[“password”] = “Ain@123”;
/* Create the mail object using the Mail::factory method */
$mail_object =& Mail::factory(“smtp”, $smtpinfo);
/* Ok send mail */
$mail_object->send($recipients, $headers, $mailmsg);
Thanks for your co-operation and support.