How not to use PHPMailer

I came across PHPMailer usage the other day on a Chinese gadget wholesale site “SourcingMap.com”.

If you submit something via their contact us form, interestingly you appear to get a dump from PHP telling you all about the PHPMailer object.

The output looks something like this:

object(PHPMailer)#15 (41) { [“Priority”]=> int(3) [“CharSet”]=> string(10) “iso-8859-1” [“ContentType”]=> string(9) “text/html” [“Encoding”]=> string(4) “8bit” [“ErrorInfo”]=> string(0) “” [“From”]=> string(16) “[email protected]” [“FromName”]=> string(11) “Sourcingmap” [“Sender”]=> string(0) “” [“Subject”]=> string(26) “Enquiry From Sourcingmap.” [“Body”]=> string(7) “Testing” [“AltBody”]=> string(0) “” [“WordWrap”]=> int(0) [“Mailer”]=> string(4) “smtp” [“Sendmail”]=> string(18) “/usr/sbin/sendmail” [“PluginDir”]=> string(0) “” [“Version”]=> string(9) “2.0.0 rc3” [“ConfirmReadingTo”]=> string(0) “” [“Hostname”]=> string(0) “” [“Host”]=> string(14) “smtp.gmail.com” [“Port”]=> int(465) [“Helo”]=> string(0) “” [“SMTPSecure”]=> string(3) “ssl” [“SMTPAuth”]=> bool(true) [“Username”]=> string(22) “[email protected]” [“Password”]=> string(16) “ilovesourcingmap” [“Timeout”]=> int(10) [“SMTPDebug”]=> bool(false) [“SMTPKeepAlive”]=> bool(false) [“SingleTo”]=> bool(false) [“smtp”]=> NULL [“to”]=> array(1) { [0]=> array(2) { [0]=> string(20) “[email protected]” [1]=> string(11) “SourcingMap” } } [“cc”]=> array(0) { } [“bcc”]=> array(0) { } [“ReplyTo”]=> array(1) { [0]=> array(2) { [0]=> string(16) “[email protected]” [1]=> string(7) “My Name” } } [“attachment”]=> array(0) { } [“CustomHeader”]=> array(0) { } [“message_type”]=> string(0) “” [“boundary”]=> array(0) { } [“language”]=> array(0) { } [“error_count”]=> int(0) [“LE”]=> string(1) ” ” }

After taking a look at the source code, I found that it’s simply an “AJAX” call to a script called “mail_in_pop.php“.

The best thing about this whole issue is the fact that their password for their mailbox appears in plain text and would be easy to guess. I’m guessing this isn’t the only place they use this password.

Yet another PHP fail whale.

I’m available for hire if you want me to fix this.

Enjoy!

PS. I do actually like SourcingMap but there’s no excuse for this kind of blatantly poor security.

object(PHPMailer)#15 (41) { [“Priority”]=> int(3) [“CharSet”]=> string(10) “iso-8859-1” [“ContentType”]=> string(9) “text/html” [“Encoding”]=> string(4) “8bit” [“ErrorInfo”]=> string(0) “” [“From”]=> string(16) “[email protected]” [“FromName”]=> string(11) “Sourcingmap” [“Sender”]=> string(0) “” [“Subject”]=> string(26) “Enquiry From Sourcingmap.” [“Body”]=> string(7) “Testing” [“AltBody”]=> string(0) “” [“WordWrap”]=> int(0) [“Mailer”]=> string(4) “smtp” [“Sendmail”]=> string(18) “/usr/sbin/sendmail” [“PluginDir”]=> string(0) “” [“Version”]=> string(9) “2.0.0 rc3” [“ConfirmReadingTo”]=> string(0) “” [“Hostname”]=> string(0) “” [“Host”]=> string(14) “smtp.gmail.com” [“Port”]=> int(465) [“Helo”]=> string(0) “” [“SMTPSecure”]=> string(3) “ssl” [“SMTPAuth”]=> bool(true) [“Username”]=> string(22) “[email protected]” [“Password”]=> string(16) “ilovesourcingmap” [“Timeout”]=> int(10) [“SMTPDebug”]=> bool(false) [“SMTPKeepAlive”]=> bool(false) [“SingleTo”]=> bool(false) [“smtp”]=> NULL [“to”]=> array(1) { [0]=> array(2) { [0]=> string(20) “[email protected]” [1]=> string(11) “SourcingMap” } } [“cc”]=> array(0) { } [“bcc”]=> array(0) { } [“ReplyTo”]=> array(1) { [0]=> array(2) { [0]=> string(16) “[email protected]” [1]=> string(7) “My Name” } } [“attachment”]=> array(0) { } [“CustomHeader”]=> array(0) { } [“message_type”]=> string(0) “” [“boundary”]=> array(0) { } [“language”]=> array(0) { } [“error_count”]=> int(0) [“LE”]=> string(1) ” ” } Your enquiry has been successfully sent to the Store Owner.