Date: Mon, 26 Dec 2016 12:57:26 -0500 From: Michael Hess <mlhess@...ch.edu> To: security@...pal.org, oss-security@...ts.openwall.com, security@...milo.org Subject: Re: [security] PHPMailer < 5.2.18 Remote Code Execution [CVE-2016-10033] The Drupal Security team is going to release a PSA on this topic, we don't normally do it, but given the holiday we will issue PSA-004, in about 30 min. The text is below. Thanks, Michael on behalf of the Drupal Security Team. Posted by Drupal Security Team on December 26, 2016 at 12:50pm Advisory ID: DRUPAL-SA-PSA-2016-004 Project: PHPMailer (third-party library) Version: 7.x, 8.x Date: 2016-December-26 Security risk: 23/25 (Highly Critical) AC:None/A:User/CI:All/II:All/E:Exploit/TD:All Vulnerability: Arbitrary PHP code execution Description The PHPMailer and SMTP modules (and maybe others) add support for sending e-mails using the 3rd party PHPMailer library. In general the Drupal project does not create advisories for 3rd party libraries. Drupal site maintainers should pay attention to the notifications provided by those 3rd party libraries as outlined in PSA-2011-002 - External libraries and plugins. However, given the extreme criticality of this issue and the timing of its release we are issuing a Public Service Announcement to alert potentially affected Drupal site maintainers. CVE identifier(s) issued CVE-2016-10033 Versions affected All versions of the external PHPMailer library < 5.2.18. Drupal core is not affected. If you do not use the contributed PHPMailer third party library, there is nothing you need to do. Solution Upgrade to the newest version of the phpmailler library. https://github.com/PHPMailer/PHPMailer Reported by Dawid Golunski Contact and More Information The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact. Learn more about the Drupal Security team and their policies, writing secure code for Drupal, andsecuring your site. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity On Mon, Dec 26, 2016 at 9:55 AM, Peter Bex <peter@...e-magic.net> wrote: > On Mon, Dec 26, 2016 at 03:46:50PM +0100, Hanno Böck wrote: >> Hi, >> >> Given I had plenty of time on the train to 33c3 I did a quick >> lookaround on what contains PHPMailer. As the details of the vuln >> aren't clear yet this doesn't necessarily mean they're vulnerable, just >> that they ship the affected code. > > It looks like the vulnerability is due to a missing escaping of shell > arguments in the sender's e-mail address. This commit seems to be > the one that fixes the bug: > https://github.com/PHPMailer/PHPMailer/commit/4835657cd639fbd09afd33307cef164edf807cdc#diff-ace81e501931d8763b49f2410cf3094dR1449 > > So it depends on whether a web form allows one to control the "from" > mail address or not. > >> Drupal doesn't contain PHPMailer, although mentioned in the advisory. >> But there are probably plugins and extensions using it. I also saw it >> used in some wordpress themes. > > I noticed this Drupal module: https://www.drupal.org/project/phpmailer > which has some sort of integration with the widely used mimemail module. > The linked module http://drupal.org/project/smtp also uses PHPMailer. > There are undoubtedly more modules that do. > > The LCMS system Chamilo also uses PHPMailer for sending mails internally. > > Cheers, > Peter Bex > > -- > [ Security | https://lists.drupal.org/mailman/listinfo/security ] > [Security team mailing list management and scheduling is documented here | https://security.drupal.org/handling-list-emails]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.