RE: PHPMailer Vulnerability

Project Announcements. This is read-only, as in... not for problems/bugs/feature request.
Post Reply
calguy1000
Support Guru
Support Guru
Posts: 8169
Joined: Tue Oct 19, 2004 6:44 pm
Location: Fernie British Columbia, Canada

RE: PHPMailer Vulnerability

Post by calguy1000 »

Today we were made aware of a vulnerability in a version of PhpMailer (the tool we use to send out all emails from CMSMS) version 5.2.18 and below.

CMSMS 2.1.x is distributed with PhpMailer 5.2.14.

After analysis of this vulnerability report, and our usage of PHPMailer, we have determined that this vulnerability in the strictest sense, does not apply to CMSMS. Therefore we will NOT be issuing an interim release of PHP solely to patch this issue.

Some Details:

The vulnerability is reported at: https://legalhackers.com/advisories/PHP ... -Vuln.html

This vulnerability occurs when using the 'Sendmail' service, and involves setting the 'From' address of the message to an invalid email address that includes spaces, and can allow overriding options to Sendmail. Those options to Sendmail could then open vulnerable systems up to remote code execution problems.

However, CMSMS is not vulnerable to this attack as we do not allow setting the 'From; address by any public means. The from email address is set into a preference via the CMSMS config panel by a trusted administrator. And that is the only location in the core where it is set.

Additionally, we have analyzed many of the popular third party add-on modules that send messages (FormBuilder, FEU, NMS, etc). and determined that even the few modules that do allow adjusting the 'From' address are also not vulnerable to this attack for the same reason as above.

In conclusion, while we will be upgrading PhpMailer along with other third party libraries for CMSMS 2.2 we have determined that issuing a new version of CMSMS to patch this vulnerability is not warranted at this time.

Thank you, and enjoy the holiday season.
Follow me on twitter
Please post system information from "Extensions >> System Information" (there is a bbcode option) on all posts asking for assistance.
--------------------
If you can't bother explaining your problem well, you shouldn't expect much in the way of assistance.
Post Reply

Return to “Announcements”