• twitter image
  • facebook image
  • youtube image
  • linkedin image
Language: CMS Made Simple Czech CMS Made Simple France CMS Made Simple Spain CMS Made Simple Hungary CMS Made Simple Russia CMS Made Simple Netherlands

All times are UTC




Post new topic Reply to topic  [ 1 post ] 
Author Message
 Post subject: RE: PHPMailer Vulnerability
PostPosted: Tue Dec 27, 2016 7:07 pm 
Offline
Dev Team Member
Dev Team Member
User avatar

Joined: Tue Oct 19, 2004 6:44 pm
Posts: 7837
Location: Fernie British Columbia, Canada
Today we were made aware of a vulnerability in a version of PhpMailer (the tool we use to send out all emails from CMSMS) version 5.2.18 and below.

CMSMS 2.1.x is distributed with PhpMailer 5.2.14.

After analysis of this vulnerability report, and our usage of PHPMailer, we have determined that this vulnerability in the strictest sense, does not apply to CMSMS. Therefore we will NOT be issuing an interim release of PHP solely to patch this issue.

Some Details:

The vulnerability is reported at: https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html

This vulnerability occurs when using the 'Sendmail' service, and involves setting the 'From' address of the message to an invalid email address that includes spaces, and can allow overriding options to Sendmail. Those options to Sendmail could then open vulnerable systems up to remote code execution problems.

However, CMSMS is not vulnerable to this attack as we do not allow setting the 'From; address by any public means. The from email address is set into a preference via the CMSMS config panel by a trusted administrator. And that is the only location in the core where it is set.

Additionally, we have analyzed many of the popular third party add-on modules that send messages (FormBuilder, FEU, NMS, etc). and determined that even the few modules that do allow adjusting the 'From' address are also not vulnerable to this attack for the same reason as above.

In conclusion, while we will be upgrading PhpMailer along with other third party libraries for CMSMS 2.2 we have determined that issuing a new version of CMSMS to patch this vulnerability is not warranted at this time.

Thank you, and enjoy the holiday season.

_________________
Follow me on twitter
Please post system information from "Extensions >> System Information" (there is a bbcode option) on all posts asking for assistance.
--------------------
If you can't bother explaining your problem well, you shouldn't expect much in the way of assistance.


Top
  Profile  
 
Share On:
Share on Facebook Share on Twitter Share on Google+
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 1 post ] 

All times are UTC


Who is online

Users browsing this forum: No registered users


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
A2 Hosting