Oh no! Where's the JavaScript?
Your Web browser does not have JavaScript enabled or does not support JavaScript. Please enable JavaScript on your Web browser to properly view this Web site, or upgrade to a Web browser that does support JavaScript.
Sign In
Not a member yet? Click here to register.

PHPMailer < 5.2.20 vulnerable

A(n) (couple of) exploit(s) have been discovered in PHPmailer.

Initial report which is patched: https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html
New CVE since initial patch is still vulnerable: https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html
Explaination for dummies: https://www.wordfence.com/blog/2016/12/phpmailer-vulnerability/

Do we need to patch/update phpmailer on v7 and v9?


Merged on Dec 30 2016 at 11:45:15:
Yes, thank you for the notice. I'll see to it on version 9 before we release stable.
We might also release an update for 7 on this. Let´s give em some time to see if they have any issues with the patch first.
For general knowledge, the vulnerability is critical but also conditional,

Quote

The mailSend function in the isMail transport in PHPMailer before 5.2.18, when the Sender property is not set, might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code
Source : https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10033

From my knowledge I do not think we leave the Sender property empty in any scenario per default in any setup. Please correct me if I am wrong.

Happy New Year !
Thread Information
Author
Replies
3 posts
Views
1,725 times
Last Post
Last updated on 3 years ago
You can view all discussion threads in this forum.
You cannot set up a bounty in this discussion thread.
You can start a new discussion thread in this forum.
You cannot reply in this discussion thread.
You cannot start on a poll in this forum.
You cannot upload attachments in this forum.
You can download attachments in this forum.
You cannot up or down-vote on the post in this discussion thread.
Users who participated in discussion: Falk, Chan, Anna