Vulnerability or not? Topic is solved

For questions and problems with the CMS core. This board is NOT for any 3rd party modules, addons, PHP scripts or anything NOT distributed with the CMS made simple package itself.
Post Reply
rooon
Forum Members
Forum Members
Posts: 113
Joined: Mon Dec 05, 2011 4:40 pm
Location: Nederland

Vulnerability or not?

Post by rooon »

Hi all,

After an upgrade from 2.2.3.1 to 2.2.16 , the hosting company did send me an email with this message
Below you will find the list of resolved vulnerabilities.
For more information, look in the DirectAdmin of your web hosting package at 'Patchman'.

Code injection vulnerability in PHPMailer.
public_html/lib/phpmailer/class.phpmailer.php
My customer is a little worried. What can I tell him?

Ronald
rooon
Forum Members
Forum Members
Posts: 113
Joined: Mon Dec 05, 2011 4:40 pm
Location: Nederland

Re: Vulnerability or not?

Post by rooon »

Some extra info.

DirectAdmin >> Patchman log
[PHPMailer] [CVE-2020-36326 - CVE-2018-19296] Object-injectie
CVE-2020-36326 https://github.com/advisories/GHSA-m298-fh5c-jc66
CVE-2018-19296 https://github.com/advisories/GHSA-7w4p-72j7-v7c2

This is a vulnerability of the type code-injection.
User avatar
Jo Morg
Dev Team Member
Dev Team Member
Posts: 1921
Joined: Mon Jan 29, 2007 4:47 pm

Re: Vulnerability or not?

Post by Jo Morg »

The vulnerabilities of the libraries that make part of CMSMS may affect the whole, part or none of the CMSMS core depending on circumstances. We are almost always notified of them as soon as they are discovered, and have to assess whether these vulnerabilities are exploitable in the CMSMS context or not. Every time a library upgrade is due, we need to test it, see if the latest release is mature enough not to introduce new bugs and unknown vulnerabilities, and if the upgrade itself is the best solution possible vs the version currently being used. In some cases the lib is exposed enough to be a liability and open to be exploited and action is taken immediately to fix it, in other cases the lib is wrapped too deep in the CMSMS core own code that the core itself is responsible for the protections and mitigations needed to prevent the vulnerable code from being exploited.
In the case of PHPMailer, the assessment made at the time was that there was no way that the exploit could be used given that the 3rd party modules used are trusted for using the CMSMS core API to access the PHPMailer lib, i.e. Formbuilder, CGBetterForms, SmartForms, FEU, MAMS, and all of the more popular modules that use the email sending functionality. So there was no urgency in upgrading the lib.
We are now in the process of finalizing an upgrade of CMSMS and most, if not all, its libraries are included. This update is long due, and is imminent, for a number of reasons.
That is to say that, if you don't have any custom code that accesses the PHPmailer library directly, there should be no risk involved. And the update is on its way too, so we are going to close that door at the same time.
"There are 10 types of people in this world, those who understand binary... and those who don't."
* by the way: English is NOT my native language (sorry for any mistakes...).
Code of Condut | CMSMS Docs | Help Support CMSMS
My developer Page on the Forge
GeekMoot 2015 in Ghent, Belgium: I was there!
GeekMoot 2016 in Leicester, UK: I was there!
DevMoot 2023 in Cynwyd, Wales: I was there!
rooon
Forum Members
Forum Members
Posts: 113
Joined: Mon Dec 05, 2011 4:40 pm
Location: Nederland

[solved] Vulnerability or not?

Post by rooon »

Jo Morg, Thank you for your detailed explanation.
I'm sure my customer will be happy after reading your answer.
peterasap
New Member
New Member
Posts: 5
Joined: Wed Dec 31, 2014 8:15 am

Re: Vulnerability or not?

Post by peterasap »

Hi,

Out of curiosity: When the new version of CMSMS is expected ? I need to start 3 new sites(PHP 8.1) with CMSMS and if possible to go with a newer version :)

Thanks :)
User avatar
Jo Morg
Dev Team Member
Dev Team Member
Posts: 1921
Joined: Mon Jan 29, 2007 4:47 pm

Re: Vulnerability or not?

Post by Jo Morg »

We are doing our best to try to release it in the next few weeks. The issue has been that work has been getting in the way, and delaying the development quite a bit. Not committing to it, but I'm really hoping to release in the next couple of weeks.
"There are 10 types of people in this world, those who understand binary... and those who don't."
* by the way: English is NOT my native language (sorry for any mistakes...).
Code of Condut | CMSMS Docs | Help Support CMSMS
My developer Page on the Forge
GeekMoot 2015 in Ghent, Belgium: I was there!
GeekMoot 2016 in Leicester, UK: I was there!
DevMoot 2023 in Cynwyd, Wales: I was there!
Post Reply

Return to “CMSMS Core”