Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 26 Dec 2016 12:57:26 -0500
From: Michael Hess <mlhess@...ch.edu>
To: security@...pal.org, oss-security@...ts.openwall.com, security@...milo.org
Subject: Re: [security] PHPMailer < 5.2.18 Remote Code
 Execution [CVE-2016-10033]

The Drupal Security team is going to release a PSA on this topic, we
don't normally do it, but given the holiday we will issue PSA-004, in
about 30 min.

The text is below.

Thanks,
Michael on behalf of the Drupal Security Team.



Posted by Drupal Security Team on December 26, 2016 at 12:50pm

Advisory ID: DRUPAL-SA-PSA-2016-004
Project: PHPMailer (third-party library)
Version: 7.x, 8.x
Date: 2016-December-26
Security risk: 23/25 (Highly Critical)
AC:None/A:User/CI:All/II:All/E:Exploit/TD:All
Vulnerability: Arbitrary PHP code execution

Description

The PHPMailer and SMTP modules (and maybe others) add support for
sending e-mails using the 3rd party PHPMailer library.

In general the Drupal project does not create advisories for 3rd party
libraries. Drupal site maintainers should pay attention to the
notifications provided by those 3rd party libraries as outlined in
PSA-2011-002 - External libraries and plugins. However, given the
extreme criticality of this issue and the timing of its release we are
issuing a Public Service Announcement to alert potentially affected
Drupal site maintainers.

CVE identifier(s) issued

CVE-2016-10033

Versions affected

All versions of the external PHPMailer library < 5.2.18.

Drupal core is not affected. If you do not use the contributed
PHPMailer third party library, there is nothing you need to do.

Solution

Upgrade to the newest version of the phpmailler library.
https://github.com/PHPMailer/PHPMailer

Reported by

Dawid Golunski

Contact and More Information

The Drupal security team can be reached at security at drupal.org or
via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing
secure code for Drupal, andsecuring your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity



On Mon, Dec 26, 2016 at 9:55 AM, Peter Bex <peter@...e-magic.net> wrote:
> On Mon, Dec 26, 2016 at 03:46:50PM +0100, Hanno Böck wrote:
>> Hi,
>>
>> Given I had plenty of time on the train to 33c3 I did a quick
>> lookaround on what contains PHPMailer. As the details of the vuln
>> aren't clear yet this doesn't necessarily mean they're vulnerable, just
>> that they ship the affected code.
>
> It looks like the vulnerability is due to a missing escaping of shell
> arguments in the sender's e-mail address.  This commit seems to be
> the one that fixes the bug:
> https://github.com/PHPMailer/PHPMailer/commit/4835657cd639fbd09afd33307cef164edf807cdc#diff-ace81e501931d8763b49f2410cf3094dR1449
>
> So it depends on whether a web form allows one to control the "from"
> mail address or not.
>
>> Drupal doesn't contain PHPMailer, although mentioned in the advisory.
>> But there are probably plugins and extensions using it. I also saw it
>> used in some wordpress themes.
>
> I noticed this Drupal module: https://www.drupal.org/project/phpmailer
> which has some sort of integration with the widely used mimemail module.
> The linked module http://drupal.org/project/smtp also uses PHPMailer.
> There are undoubtedly more modules that do.
>
> The LCMS system Chamilo also uses PHPMailer for sending mails internally.
>
> Cheers,
> Peter Bex
>
> --
> [ Security | https://lists.drupal.org/mailman/listinfo/security ]
> [Security team mailing list management and scheduling is documented here | https://security.drupal.org/handling-list-emails]

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.