PHPMailer < 5.2.20 vulnerable
Asked Modified Viewed 2,624 times
asked
A(n) (couple of) exploit(s) have been discovered in PHPmailer.
Initial report which is patched: https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html
New CVE since initial patch is still vulnerable: https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html
Explaination for dummies: https://www.wordfence.com/blog/2016/12/phpmailer-vulnerability/
Do we need to patch/update phpmailer on v7 and v9?
Initial report which is patched: https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html
New CVE since initial patch is still vulnerable: https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html
Explaination for dummies: https://www.wordfence.com/blog/2016/12/phpmailer-vulnerability/
Do we need to patch/update phpmailer on v7 and v9?
answered
[youtube]https://www.youtube.com/watch?v=xyYMYvT2bx8&feature=youtu.be[/youtube]
Merged on Dec 30 2016 at 11:45:15:
Yes, thank you for the notice. I'll see to it on version 9 before we release stable.
Merged on Dec 30 2016 at 11:45:15:
Yes, thank you for the notice. I'll see to it on version 9 before we release stable.
Edited by Chan on 30-12-2016 04:45,
Falk
Falk 131
Need help?, Having trouble?
• View our Documentation for Guides, Standards and Functions
• Name and Organize your Topics and Content correctly in the corresponding Forums for best support results
• Attaching Log Files and Screenshots when reporting issues will help
• Provide with an URL to live example if one exists
• Please read the How to Report an Error post
• Please read and comply with the Code of Conduct
• View our Documentation for Guides, Standards and Functions
• Name and Organize your Topics and Content correctly in the corresponding Forums for best support results
• Attaching Log Files and Screenshots when reporting issues will help
• Provide with an URL to live example if one exists
• Please read the How to Report an Error post
• Please read and comply with the Code of Conduct
(¯·._.·(¯°·._.·°º*[ Project Manager ]*º°·._.·°¯)·._.·¯)
- Super Admin, joined since
- Contributed 6,201 posts on the community forums.
- Started 639 threads in the forums
- Answered 11 questions
We might also release an update for 7 on this. Let´s give em some time to see if they have any issues with the patch first.
For general knowledge, the vulnerability is critical but also conditional,
Source : https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10033
From my knowledge I do not think we leave the Sender property empty in any scenario per default in any setup. Please correct me if I am wrong.
Happy New Year !
For general knowledge, the vulnerability is critical but also conditional,
Quote
The mailSend function in the isMail transport in PHPMailer before 5.2.18, when the Sender property is not set, might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code
From my knowledge I do not think we leave the Sender property empty in any scenario per default in any setup. Please correct me if I am wrong.
Happy New Year !
Category Forum
Code Snippet and functions - 8Labels
None yet
Statistics
- Views 0 views
- Posts 2 posts
- Votes 0 votes
- Topic users 3 members
3 participants
Falk 131
Need help?, Having trouble?
• View our Documentation for Guides, Standards and Functions
• Name and Organize your Topics and Content correctly in the corresponding Forums for best support results
• Attaching Log Files and Screenshots when reporting issues will help
• Provide with an URL to live example if one exists
• Please read the How to Report an Error post
• Please read and comply with the Code of Conduct
• View our Documentation for Guides, Standards and Functions
• Name and Organize your Topics and Content correctly in the corresponding Forums for best support results
• Attaching Log Files and Screenshots when reporting issues will help
• Provide with an URL to live example if one exists
• Please read the How to Report an Error post
• Please read and comply with the Code of Conduct
(¯·._.·(¯°·._.·°º*[ Project Manager ]*º°·._.·°¯)·._.·¯)
- Super Admin, joined since
- Contributed 6,201 posts on the community forums.
- Started 639 threads in the forums
- Answered 11 questions
Chan 0
Lead Developer of PHP-Fusion
- Super Admin, joined since
- Contributed 3,841 posts on the community forums.
- Started 232 threads in the forums
- Answered 6 questions
Anna 10
...
- Newbie, joined since
- Contributed 8 posts on the community forums.
- Started 2 threads in the forums
- Started this discussions
Notifications
Track thread
You are not receiving notifications from this thread.
Related Questions