Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 26 Dec 2016 13:05:49 -0500
From: Yannick Warnier <>
Subject: Re: [security] PHPMailer < 5.2.18 Remote Code
 Execution [CVE-2016-10033]

Hi Peter,

The Chamilo team will be analyzing this in the next 2 days and likely 
provide a patch to our community. Although PHPMailer is indeed not used 
anymore in recent versions, we still have a large number of portals 
around using the previous version.

Thanks Drupal team for the PSA text, we'll probably use part of it as 
inspiration (unless that's not OK - just let me know).

Thank you for your great effort in looking out for us and letting us 
know. Most appreciated.


Yannick Warnier
Project leader

Le 26/12/16 à 12:57, Michael Hess a écrit :
> The Drupal Security team is going to release a PSA on this topic, we
> don't normally do it, but given the holiday we will issue PSA-004, in
> about 30 min.
> The text is below.
> Thanks,
> Michael on behalf of the Drupal Security Team.
> Posted by Drupal Security Team on December 26, 2016 at 12:50pm
> Advisory ID: DRUPAL-SA-PSA-2016-004
> Project: PHPMailer (third-party library)
> Version: 7.x, 8.x
> Date: 2016-December-26
> Security risk: 23/25 (Highly Critical)
> AC:None/A:User/CI:All/II:All/E:Exploit/TD:All
> Vulnerability: Arbitrary PHP code execution
> Description
> The PHPMailer and SMTP modules (and maybe others) add support for
> sending e-mails using the 3rd party PHPMailer library.
> In general the Drupal project does not create advisories for 3rd party
> libraries. Drupal site maintainers should pay attention to the
> notifications provided by those 3rd party libraries as outlined in
> PSA-2011-002 - External libraries and plugins. However, given the
> extreme criticality of this issue and the timing of its release we are
> issuing a Public Service Announcement to alert potentially affected
> Drupal site maintainers.
> CVE identifier(s) issued
> CVE-2016-10033
> Versions affected
> All versions of the external PHPMailer library < 5.2.18.
> Drupal core is not affected. If you do not use the contributed
> PHPMailer third party library, there is nothing you need to do.
> Solution
> Upgrade to the newest version of the phpmailler library.
> Reported by
> Dawid Golunski
> Contact and More Information
> The Drupal security team can be reached at security at or
> via the contact form at
> Learn more about the Drupal Security team and their policies, writing
> secure code for Drupal, andsecuring your site.
> Follow the Drupal Security Team on Twitter at
> On Mon, Dec 26, 2016 at 9:55 AM, Peter Bex <> wrote:
>> On Mon, Dec 26, 2016 at 03:46:50PM +0100, Hanno Böck wrote:
>>> Hi,
>>> Given I had plenty of time on the train to 33c3 I did a quick
>>> lookaround on what contains PHPMailer. As the details of the vuln
>>> aren't clear yet this doesn't necessarily mean they're vulnerable, just
>>> that they ship the affected code.
>> It looks like the vulnerability is due to a missing escaping of shell
>> arguments in the sender's e-mail address.  This commit seems to be
>> the one that fixes the bug:
>> So it depends on whether a web form allows one to control the "from"
>> mail address or not.
>>> Drupal doesn't contain PHPMailer, although mentioned in the advisory.
>>> But there are probably plugins and extensions using it. I also saw it
>>> used in some wordpress themes.
>> I noticed this Drupal module:
>> which has some sort of integration with the widely used mimemail module.
>> The linked module also uses PHPMailer.
>> There are undoubtedly more modules that do.
>> The LCMS system Chamilo also uses PHPMailer for sending mails internally.
>> Cheers,
>> Peter Bex
>> --
>> [ Security | ]
>> [Security team mailing list management and scheduling is documented here |]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ