How not to use PHPMailer

I came across PHPMailer usage the other day on a Chinese gadget wholesale site “SourcingMap.com”.

If you submit something via their contact us form, interestingly you appear to get a dump from PHP telling you all about the PHPMailer object.

The output looks something like this:

object(PHPMailer)#15 (41) { [“Priority”]=> int(3) [“CharSet”]=> string(10) “iso-8859-1” [“ContentType”]=> string(9) “text/html” [“Encoding”]=> string(4) “8bit” [“ErrorInfo”]=> string(0) “” [“From”]=> string(16) “test@example.com” [“FromName”]=> string(11) “Sourcingmap” [“Sender”]=> string(0) “” [“Subject”]=> string(26) “Enquiry From Sourcingmap.” [“Body”]=> string(7) “Testing” [“AltBody”]=> string(0) “” [“WordWrap”]=> int(0) [“Mailer”]=> string(4) “smtp” [“Sendmail”]=> string(18) “/usr/sbin/sendmail” [“PluginDir”]=> string(0) “” [“Version”]=> string(9) “2.0.0 rc3” [“ConfirmReadingTo”]=> string(0) “” [“Hostname”]=> string(0) “” [“Host”]=> string(14) “smtp.gmail.com” [“Port”]=> int(465) [“Helo”]=> string(0) “” [“SMTPSecure”]=> string(3) “ssl” [“SMTPAuth”]=> bool(true) [“Username”]=> string(22) “orders@sourcingmap.com” [“Password”]=> string(16) “ilovesourcingmap” [“Timeout”]=> int(10) [“SMTPDebug”]=> bool(false) [“SMTPKeepAlive”]=> bool(false) [“SingleTo”]=> bool(false) [“smtp”]=> NULL [“to”]=> array(1) { [0]=> array(2) { [0]=> string(20) “info@sourcingmap.com” [1]=> string(11) “SourcingMap” } } [“cc”]=> array(0) { } [“bcc”]=> array(0) { } [“ReplyTo”]=> array(1) { [0]=> array(2) { [0]=> string(16) “test@example.com” [1]=> string(7) “My Name” } } [“attachment”]=> array(0) { } [“CustomHeader”]=> array(0) { } [“message_type”]=> string(0) “” [“boundary”]=> array(0) { } [“language”]=> array(0) { } [“error_count”]=> int(0) [“LE”]=> string(1) ” ” }

After taking a look at the source code, I found that it’s simply an “AJAX” call to a script called “mail_in_pop.php“.

The best thing about this whole issue is the fact that their password for their mailbox appears in plain text and would be easy to guess. I’m guessing this isn’t the only place they use this password.

Yet another PHP fail whale.

I’m available for hire if you want me to fix this.

Enjoy!

PS. I do actually like SourcingMap but there’s no excuse for this kind of blatantly poor security.

object(PHPMailer)#15 (41) { [“Priority”]=> int(3) [“CharSet”]=> string(10) “iso-8859-1” [“ContentType”]=> string(9) “text/html” [“Encoding”]=> string(4) “8bit” [“ErrorInfo”]=> string(0) “” [“From”]=> string(16) “test@example.com” [“FromName”]=> string(11) “Sourcingmap” [“Sender”]=> string(0) “” [“Subject”]=> string(26) “Enquiry From Sourcingmap.” [“Body”]=> string(7) “Testing” [“AltBody”]=> string(0) “” [“WordWrap”]=> int(0) [“Mailer”]=> string(4) “smtp” [“Sendmail”]=> string(18) “/usr/sbin/sendmail” [“PluginDir”]=> string(0) “” [“Version”]=> string(9) “2.0.0 rc3” [“ConfirmReadingTo”]=> string(0) “” [“Hostname”]=> string(0) “” [“Host”]=> string(14) “smtp.gmail.com” [“Port”]=> int(465) [“Helo”]=> string(0) “” [“SMTPSecure”]=> string(3) “ssl” [“SMTPAuth”]=> bool(true) [“Username”]=> string(22) “orders@sourcingmap.com” [“Password”]=> string(16) “ilovesourcingmap” [“Timeout”]=> int(10) [“SMTPDebug”]=> bool(false) [“SMTPKeepAlive”]=> bool(false) [“SingleTo”]=> bool(false) [“smtp”]=> NULL [“to”]=> array(1) { [0]=> array(2) { [0]=> string(20) “info@sourcingmap.com” [1]=> string(11) “SourcingMap” } } [“cc”]=> array(0) { } [“bcc”]=> array(0) { } [“ReplyTo”]=> array(1) { [0]=> array(2) { [0]=> string(16) “test@example.com” [1]=> string(7) “My Name” } } [“attachment”]=> array(0) { } [“CustomHeader”]=> array(0) { } [“message_type”]=> string(0) “” [“boundary”]=> array(0) { } [“language”]=> array(0) { } [“error_count”]=> int(0) [“LE”]=> string(1) ” ” } Your enquiry has been successfully sent to the Store Owner.