Php Mail() Vulnerable?

[chuckmalani]

hi TCHers,

 

I've been a TCH family member for a couple years now i think, I actually came here when my old host wouldn't let me install a PHP webmail client because of "php mail vulnerabilites". unfortunately, my buddy who also wanted a family website asked me for help before my switch, so I set him up w/ the old host. Long story short is, I'm helping him now install Mambo, and the contact doesnt work, presumably because they have turned off mail() or dont have the PHPMailer class installed.

 

Here's their point, which I dont understand:

Why is the mail() function in PHP disabled?

A major limitation of the Apache 1.3 + mod_php combination is that PHP scripts execute under the web server UID ('www'), which is system-wide. This allows spammers to send totally untrackable spam through vulnerable PHP scripts (the UID in the header shows up as 'www').

 

Until setuid execution is available for Apache+mod_php (which should occur when the Apache2 module mod_perchild is stable), the mail() function is only available with the CGI version of PHP, which allows proper tracking.

 

How does TCH do this? I have 100% faith in TCH's security and the personnel that put it in place (thats why I'm still here!). I'd love for my friend to make the move to TCH and thats what I'm suggesting he does, but I am just baffled by this in general and wonder if anyone w/ experience w/ this understands and can explain.

 

Thanks in advance,

Chuck