You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
How do you see this as a risk? What threat model do you foresee as applying to it? Neither of these uses are headers. Also bear in mind that msgHTML is purely a convenience function that you don't need to use at all. How would you change the ID generation, bearing in mind that even a random string would be readily fingerprintable?
Our system underwent a security audit and it was detected as a vulnerability (excerpt below)
Disclosure of redundant environment information in email headers
RECOMMENDATION
We strongly recommend removing redundant headers that reveal information about the technologies used.
I would suggest adding @phpmailer.0 to the variable, which will make it easy to overwrite it
Overwriting the entire function is problematic because it requires monitoring during updates
Hello,
There is a hard coded string in https://github.com/PHPMailer/PHPMailer/blob/master/src/PHPMailer.php#L4418 and https://github.com/PHPMailer/PHPMailer/blob/master/src/PHPMailer.php#L4452 which leaks server/app details. For security reasons, we should be able to change this to a custom one, like other headers.
Currently, only way to do that, is to override the entire msgHTML method. Is there a chance to introduce a more flexible approach in the library?
The text was updated successfully, but these errors were encountered: