• Search for:

• About

  Welcome to the Phurix research and development labs. Here you'll find our experiments and findings as part of our on going Internet engineering.

• Projects

  • Bitcoin eWallet
  • Domain Name Whois
  • Down Or Me
  • Eggdrop TCL
  • PageRank Viewer
  • TrackJacker
  • URL Shortner
  • Validate an email address
  • What is my IP?

• Recent Comments

  • James Wade on Parts inside your printer are at the end of their service life
  • Marcel on Parts inside your printer are at the end of their service life
  • James Wade on PHP OpenSRS Client
  • Jon on PHP OpenSRS Client
  • James Wade on Google PageRank Script

• Subscribe to our newsletter

  Email Address :

How not to use PHPMailer

I came across PHPMailer usage the other day on a Chinese gadget wholesale site “SourcingMap.com”.

If you submit something via their contact us form, interestingly you appear to get a dump from PHP telling you all about the PHPMailer object.

The output looks something like this:

object(PHPMailer)#15 (41) { ["Priority"]=> int(3) ["CharSet"]=> string(10) “iso-8859-1″ ["ContentType"]=> string(9) “text/html” ["Encoding"]=> string(4) “8bit” ["ErrorInfo"]=> string(0) “” ["From"]=> string(16) “test@example.com” ["FromName"]=> string(11) “Sourcingmap” ["Sender"]=> string(0) “” ["Subject"]=> string(26) “Enquiry From Sourcingmap.” ["Body"]=> string(7) “Testing” ["AltBody"]=> string(0) “” ["WordWrap"]=> int(0) ["Mailer"]=> string(4) “smtp” ["Sendmail"]=> string(18) “/usr/sbin/sendmail” ["PluginDir"]=> string(0) “” ["Version"]=> string(9) “2.0.0 rc3″ ["ConfirmReadingTo"]=> string(0) “” ["Hostname"]=> string(0) “” ["Host"]=> string(14) “smtp.gmail.com” ["Port"]=> int(465) ["Helo"]=> string(0) “” ["SMTPSecure"]=> string(3) “ssl” ["SMTPAuth"]=> bool(true) ["Username"]=> string(22) “orders@sourcingmap.com” ["Password"]=> string(16) “ilovesourcingmap” ["Timeout"]=> int(10) ["SMTPDebug"]=> bool(false) ["SMTPKeepAlive"]=> bool(false) ["SingleTo"]=> bool(false) ["smtp"]=> NULL ["to"]=> array(1) { [0]=> array(2) { [0]=> string(20) “info@sourcingmap.com” [1]=> string(11) “SourcingMap” } } ["cc"]=> array(0) { } ["bcc"]=> array(0) { } ["ReplyTo"]=> array(1) { [0]=> array(2) { [0]=> string(16) “test@example.com” [1]=> string(7) “My Name” } } ["attachment"]=> array(0) { } ["CustomHeader"]=> array(0) { } ["message_type"]=> string(0) “” ["boundary"]=> array(0) { } ["language"]=> array(0) { } ["error_count"]=> int(0) ["LE"]=> string(1) ” ” }

After taking a look at the source code, I found that it’s simply an “AJAX” call to a script called “mail_in_pop.php“.

The best thing about this whole issue is the fact that their password for their mailbox appears in plain text and would be easy to guess. I’m guessing this isn’t the only place they use this password.

Yet another PHP fail whale.

I’m available for hire if you want me to fix this.

Enjoy!

PS. I do actually like SourcingMap but there’s no excuse for this kind of blatantly poor security.

Related posts:

1. Gmail needs an API Yesterday I spent some time investigating Google Wave. A very...
2. Has friendster been hacked? I noticed an unusual email when I checked my Gmail...
3. Don’t forget to run make test! During my install of PHP5 on FreeBSD… Build complete. Don’t...
4. jQuery sucks at browser detection This week i’ve been tweaking a little site I’ve started...
5. Tracking an IP address In my job I have to manage lots of machines...

About admin

The author formerly known as HM2K is now the Phurix Labs administrator.