Date: Mon, 26 Dec 2016 13:05:49 -0500 From: Yannick Warnier <ywarnier@...milo.org> To: oss-security@...ts.openwall.com Cc: security@...milo.org, security@...pal.org, peter@...e-magic.net Subject: Re: [security] PHPMailer < 5.2.18 Remote Code Execution [CVE-2016-10033] Hi Peter, The Chamilo team will be analyzing this in the next 2 days and likely provide a patch to our community. Although PHPMailer is indeed not used anymore in recent versions, we still have a large number of portals around using the previous version. Thanks Drupal team for the PSA text, we'll probably use part of it as inspiration (unless that's not OK - just let me know). Thank you for your great effort in looking out for us and letting us know. Most appreciated. -- Yannick Warnier Project leader Chamilo Le 26/12/16 à 12:57, Michael Hess a écrit : > The Drupal Security team is going to release a PSA on this topic, we > don't normally do it, but given the holiday we will issue PSA-004, in > about 30 min. > > The text is below. > > Thanks, > Michael on behalf of the Drupal Security Team. > > > > Posted by Drupal Security Team on December 26, 2016 at 12:50pm > > Advisory ID: DRUPAL-SA-PSA-2016-004 > Project: PHPMailer (third-party library) > Version: 7.x, 8.x > Date: 2016-December-26 > Security risk: 23/25 (Highly Critical) > AC:None/A:User/CI:All/II:All/E:Exploit/TD:All > Vulnerability: Arbitrary PHP code execution > > Description > > The PHPMailer and SMTP modules (and maybe others) add support for > sending e-mails using the 3rd party PHPMailer library. > > In general the Drupal project does not create advisories for 3rd party > libraries. Drupal site maintainers should pay attention to the > notifications provided by those 3rd party libraries as outlined in > PSA-2011-002 - External libraries and plugins. However, given the > extreme criticality of this issue and the timing of its release we are > issuing a Public Service Announcement to alert potentially affected > Drupal site maintainers. > > CVE identifier(s) issued > > CVE-2016-10033 > > Versions affected > > All versions of the external PHPMailer library < 5.2.18. > > Drupal core is not affected. If you do not use the contributed > PHPMailer third party library, there is nothing you need to do. > > Solution > > Upgrade to the newest version of the phpmailler library. > https://github.com/PHPMailer/PHPMailer > > Reported by > > Dawid Golunski > > Contact and More Information > > The Drupal security team can be reached at security at drupal.org or > via the contact form at https://www.drupal.org/contact. > > Learn more about the Drupal Security team and their policies, writing > secure code for Drupal, andsecuring your site. > > Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity > > > > On Mon, Dec 26, 2016 at 9:55 AM, Peter Bex <peter@...e-magic.net> wrote: >> On Mon, Dec 26, 2016 at 03:46:50PM +0100, Hanno Böck wrote: >>> Hi, >>> >>> Given I had plenty of time on the train to 33c3 I did a quick >>> lookaround on what contains PHPMailer. As the details of the vuln >>> aren't clear yet this doesn't necessarily mean they're vulnerable, just >>> that they ship the affected code. >> >> It looks like the vulnerability is due to a missing escaping of shell >> arguments in the sender's e-mail address. This commit seems to be >> the one that fixes the bug: >> https://github.com/PHPMailer/PHPMailer/commit/4835657cd639fbd09afd33307cef164edf807cdc#diff-ace81e501931d8763b49f2410cf3094dR1449 >> >> So it depends on whether a web form allows one to control the "from" >> mail address or not. >> >>> Drupal doesn't contain PHPMailer, although mentioned in the advisory. >>> But there are probably plugins and extensions using it. I also saw it >>> used in some wordpress themes. >> >> I noticed this Drupal module: https://www.drupal.org/project/phpmailer >> which has some sort of integration with the widely used mimemail module. >> The linked module http://drupal.org/project/smtp also uses PHPMailer. >> There are undoubtedly more modules that do. >> >> The LCMS system Chamilo also uses PHPMailer for sending mails internally. >> >> Cheers, >> Peter Bex >> >> -- >> [ Security | https://lists.drupal.org/mailman/listinfo/security ] >> [Security team mailing list management and scheduling is documented here | https://security.drupal.org/handling-list-emails] >
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ