Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 26 Dec 2016 13:05:49 -0500
From: Yannick Warnier <ywarnier@...milo.org>
To: oss-security@...ts.openwall.com
Cc: security@...milo.org, security@...pal.org, peter@...e-magic.net
Subject: Re: [security] PHPMailer < 5.2.18 Remote Code
 Execution [CVE-2016-10033]

Hi Peter,

The Chamilo team will be analyzing this in the next 2 days and likely 
provide a patch to our community. Although PHPMailer is indeed not used 
anymore in recent versions, we still have a large number of portals 
around using the previous version.

Thanks Drupal team for the PSA text, we'll probably use part of it as 
inspiration (unless that's not OK - just let me know).

Thank you for your great effort in looking out for us and letting us 
know. Most appreciated.

-- 

Yannick Warnier
Project leader
Chamilo


Le 26/12/16 à 12:57, Michael Hess a écrit :
> The Drupal Security team is going to release a PSA on this topic, we
> don't normally do it, but given the holiday we will issue PSA-004, in
> about 30 min.
>
> The text is below.
>
> Thanks,
> Michael on behalf of the Drupal Security Team.
>
>
>
> Posted by Drupal Security Team on December 26, 2016 at 12:50pm
>
> Advisory ID: DRUPAL-SA-PSA-2016-004
> Project: PHPMailer (third-party library)
> Version: 7.x, 8.x
> Date: 2016-December-26
> Security risk: 23/25 (Highly Critical)
> AC:None/A:User/CI:All/II:All/E:Exploit/TD:All
> Vulnerability: Arbitrary PHP code execution
>
> Description
>
> The PHPMailer and SMTP modules (and maybe others) add support for
> sending e-mails using the 3rd party PHPMailer library.
>
> In general the Drupal project does not create advisories for 3rd party
> libraries. Drupal site maintainers should pay attention to the
> notifications provided by those 3rd party libraries as outlined in
> PSA-2011-002 - External libraries and plugins. However, given the
> extreme criticality of this issue and the timing of its release we are
> issuing a Public Service Announcement to alert potentially affected
> Drupal site maintainers.
>
> CVE identifier(s) issued
>
> CVE-2016-10033
>
> Versions affected
>
> All versions of the external PHPMailer library < 5.2.18.
>
> Drupal core is not affected. If you do not use the contributed
> PHPMailer third party library, there is nothing you need to do.
>
> Solution
>
> Upgrade to the newest version of the phpmailler library.
> https://github.com/PHPMailer/PHPMailer
>
> Reported by
>
> Dawid Golunski
>
> Contact and More Information
>
> The Drupal security team can be reached at security at drupal.org or
> via the contact form at https://www.drupal.org/contact.
>
> Learn more about the Drupal Security team and their policies, writing
> secure code for Drupal, andsecuring your site.
>
> Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity
>
>
>
> On Mon, Dec 26, 2016 at 9:55 AM, Peter Bex <peter@...e-magic.net> wrote:
>> On Mon, Dec 26, 2016 at 03:46:50PM +0100, Hanno Böck wrote:
>>> Hi,
>>>
>>> Given I had plenty of time on the train to 33c3 I did a quick
>>> lookaround on what contains PHPMailer. As the details of the vuln
>>> aren't clear yet this doesn't necessarily mean they're vulnerable, just
>>> that they ship the affected code.
>>
>> It looks like the vulnerability is due to a missing escaping of shell
>> arguments in the sender's e-mail address.  This commit seems to be
>> the one that fixes the bug:
>> https://github.com/PHPMailer/PHPMailer/commit/4835657cd639fbd09afd33307cef164edf807cdc#diff-ace81e501931d8763b49f2410cf3094dR1449
>>
>> So it depends on whether a web form allows one to control the "from"
>> mail address or not.
>>
>>> Drupal doesn't contain PHPMailer, although mentioned in the advisory.
>>> But there are probably plugins and extensions using it. I also saw it
>>> used in some wordpress themes.
>>
>> I noticed this Drupal module: https://www.drupal.org/project/phpmailer
>> which has some sort of integration with the widely used mimemail module.
>> The linked module http://drupal.org/project/smtp also uses PHPMailer.
>> There are undoubtedly more modules that do.
>>
>> The LCMS system Chamilo also uses PHPMailer for sending mails internally.
>>
>> Cheers,
>> Peter Bex
>>
>> --
>> [ Security | https://lists.drupal.org/mailman/listinfo/security ]
>> [Security team mailing list management and scheduling is documented here | https://security.drupal.org/handling-list-emails]
>

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ