Our features site is undergoing a refresh! Be sure to explore the revamped site and discover our latest product roadmap launching here on Monday, March 18th.
New Topic
cPanel & WHM Feature RequestsTopicEmail
Properties
Category Email
Tags privileged, trade secrets, email, headers, revealed

Private/privileged site information is being revealed in email headers

Stefan Muth shared this idea 13 months ago
Needs Review

As a cPanel/WHM user I was appalled to find that a trove of sensitive information is, by default, being divulged when my website sends emails using PHP mail().


Worse, there is no easy way to turn this behavior off. Exposing a website's inner workings to users/hackers in return for tracking spammers is an unacceptable trade-off.

I would like to see an option that allows webmasters to easily suppress these headers, which are:


X-PHP-Script

X-PHP-Originating-Script

X-Source-Args

X-Source-Dir

These expose hidden script names and directories, include file names, script arguments, entire directory structures, cPanel information, the site owner's and other users' IP addresses. Scripts that would normally be hidden from users (because... you guessed it... they shouldn't be executed by users/hackers!) are easily available to anyone who examines an email header.


There appears to be no easy way to suppress all of those headers, and it is switched on by default without the webmaster being aware of it.


This information, at a very minimum, should not be revealed for those legitimate email senders who authenticate their emails through DKIM, DMARC, and SPF.

2 I like this idea 0  
Leave a Comment
 
Attach a file

cPanel, WebHost Manager and WHM are registered trademarks of cPanel, L.L.C. for providing its computer software that facilitates the management and configuration of Internet web servers.