Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

All code examples must follow the Markdown rules as this site uses Markdown. If you don't know how, click here for a tutorial. Any code examples not using Markdown will be deleted.
All code examples must follow the Markdown rules as this site uses Markdown. If you don't know how, click here for a tutorial. Any code examples not using Markdown will be deleted.

Joomla Announces Security Fix for PHPMailer Vulnerability

Joomla has announced a security fix for the PHPMailer Vulnerability which will be included in version 3.7 when it is released. Watch for that #Joomla release as it's important to fix this issue.

Description

All versions of the third-party PHPMailer library distributed with Joomla! versions up to 3.6.5 are vulnerable to a remote code execution vulnerability. This is patched in PHPMailer 5.2.18 which will be included with Joomla! 3.7. After analysis, the JSST has determined that through correct use of the JMail class, there are additional validations in place which make executing this vulnerability impractical within the Joomla environment. As well, the vulnerability requires being able to pass user input to a message’s “from” address; all places in the core Joomla API which send mail use the sender address set in the global configuration and does not allow for user input to be set elsewhere. However, extensions which bundle a separate version of PHPMailer or do not use the Joomla API to send email may be vulnerable to this issue.

Generally, the Joomla project does not issue advisories regarding third party libraries, however given the severity of this issue we felt it important to advise our users that we are aware of this issue and we have determined that the additional validations in our API prevent triggering this vulnerability.

Affected Installs

Joomla! CMS versions 1.6.0 through 3.6.5

Solution

No action required for Joomla users, the updated library will be included in the next scheduled release and additional mechanisms exist in Joomla core to prevent triggering the vulnerability. Users of the PHPMailer library separate from Joomla are advised to upgrade to 5.2.18 or newer ASAP.

Additional Resources

https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html
https://github.com/PHPMailer/PHPMailer/blob/master/SECURITY.md

beast-usa

Comments

  • Looks like you can test on a dev site the same fix posted in our phpFox thread for this issue.

    You can get the zip file here .

    Extract the downloaded file.

    Open the folder "PHPMailer-5.2.19" .

    On your development site, open the libraries/vendor/phpmailer/ folder and you will see another phpmailer/ folder. Rename that to something like phpmailerbu/ so that you have a backup of the files in case you need them.

    Create a new phpmailer/ folder so you will now see libraries/vendor/phpmailer/phpmailer/ on your server in this development site.

    Upload all of the files from your PHPMailer-5.2.19 folder on your computer to the new libraries/vendor/phpmailer/phpmailer/ folder you made.

    Test your site. If it works fine, do the same for your live site.

Sign In or Register to comment.