RE: PHPMailer Vulnerability
Posted: Tue Dec 27, 2016 7:07 pm
Today we were made aware of a vulnerability in a version of PhpMailer (the tool we use to send out all emails from CMSMS) version 5.2.18 and below.
CMSMS 2.1.x is distributed with PhpMailer 5.2.14.
After analysis of this vulnerability report, and our usage of PHPMailer, we have determined that this vulnerability in the strictest sense, does not apply to CMSMS. Therefore we will NOT be issuing an interim release of PHP solely to patch this issue.
Some Details:
The vulnerability is reported at: https://legalhackers.com/advisories/PHP ... -Vuln.html
This vulnerability occurs when using the 'Sendmail' service, and involves setting the 'From' address of the message to an invalid email address that includes spaces, and can allow overriding options to Sendmail. Those options to Sendmail could then open vulnerable systems up to remote code execution problems.
However, CMSMS is not vulnerable to this attack as we do not allow setting the 'From; address by any public means. The from email address is set into a preference via the CMSMS config panel by a trusted administrator. And that is the only location in the core where it is set.
Additionally, we have analyzed many of the popular third party add-on modules that send messages (FormBuilder, FEU, NMS, etc). and determined that even the few modules that do allow adjusting the 'From' address are also not vulnerable to this attack for the same reason as above.
In conclusion, while we will be upgrading PhpMailer along with other third party libraries for CMSMS 2.2 we have determined that issuing a new version of CMSMS to patch this vulnerability is not warranted at this time.
Thank you, and enjoy the holiday season.
CMSMS 2.1.x is distributed with PhpMailer 5.2.14.
After analysis of this vulnerability report, and our usage of PHPMailer, we have determined that this vulnerability in the strictest sense, does not apply to CMSMS. Therefore we will NOT be issuing an interim release of PHP solely to patch this issue.
Some Details:
The vulnerability is reported at: https://legalhackers.com/advisories/PHP ... -Vuln.html
This vulnerability occurs when using the 'Sendmail' service, and involves setting the 'From' address of the message to an invalid email address that includes spaces, and can allow overriding options to Sendmail. Those options to Sendmail could then open vulnerable systems up to remote code execution problems.
However, CMSMS is not vulnerable to this attack as we do not allow setting the 'From; address by any public means. The from email address is set into a preference via the CMSMS config panel by a trusted administrator. And that is the only location in the core where it is set.
Additionally, we have analyzed many of the popular third party add-on modules that send messages (FormBuilder, FEU, NMS, etc). and determined that even the few modules that do allow adjusting the 'From' address are also not vulnerable to this attack for the same reason as above.
In conclusion, while we will be upgrading PhpMailer along with other third party libraries for CMSMS 2.2 we have determined that issuing a new version of CMSMS to patch this vulnerability is not warranted at this time.
Thank you, and enjoy the holiday season.