PHPMailer Vulnerability CVE-2016-10033

Development-related discussion, including bundled plugins
JustAMacUser
Bear Rating Overlord
Bear Rating Overlord
Posts: 373
Joined: 20 Aug 2013, 23:13

PHPMailer Vulnerability CVE-2016-10033

Postby JustAMacUser » 26 Dec 2016, 21:19

I'm on mobile so I haven't been able to investigate further with respect to TT-RSS or submit a patch, but since it uses an earlier version of PHPMailer I figured I should share this:



Based on how I think TT-RSS works, this should only be exploitable by registered users but nonetheless should probably be patched.

User avatar
fox
^ me reading your posts ^
Posts: 6318
Joined: 27 Aug 2005, 22:53
Location: Saint-Petersburg, Russia
Contact:

Re: PHPMailer Vulnerability CVE-2016-10033

Postby fox » 26 Dec 2016, 22:29

should be updated on gitlab, i tried the plugin and it worked but it would be good if someone tested other mail-related crap (i don't even remember - like, password reset links? something else?)

derekschrock
Bear Rating Trainee
Bear Rating Trainee
Posts: 4
Joined: 28 Dec 2016, 10:18

Re: PHPMailer Vulnerability CVE-2016-10033

Postby derekschrock » 28 Dec 2016, 10:22

Appears there's a follow up vulnerability to the original CVE-2016-10033. Additional updates to the embedded phpmailer might be needed?

https://legalhackers.com/advisories/PHP ... ypass.html

User avatar
fox
^ me reading your posts ^
Posts: 6318
Joined: 27 Aug 2005, 22:53
Location: Saint-Petersburg, Russia
Contact:

Re: PHPMailer Vulnerability CVE-2016-10033

Postby fox » 28 Dec 2016, 10:35

someone post here when that village idiot who couldn't figure out how to send email without executing random code updates his piece of shit library, so i can merge his new attempt into trunk, i guess

the anticipation is killing me

virgo
Bear Rating Trainee
Bear Rating Trainee
Posts: 37
Joined: 12 Jun 2013, 22:14

Re: PHPMailer Vulnerability CVE-2016-10033

Postby virgo » 28 Dec 2016, 13:09

I guess the problem only exists, if SMTP_SERVER is empty (so that mail is sent via system MTA).

User avatar
fox
^ me reading your posts ^
Posts: 6318
Joined: 27 Aug 2005, 22:53
Location: Saint-Petersburg, Russia
Contact:

Re: PHPMailer Vulnerability CVE-2016-10033

Postby fox » 28 Dec 2016, 13:19

yeah escapeshellargs() would do nothing for an smtp connection

derekschrock
Bear Rating Trainee
Bear Rating Trainee
Posts: 4
Joined: 28 Dec 2016, 10:18

Re: PHPMailer Vulnerability CVE-2016-10033

Postby derekschrock » 29 Dec 2016, 05:26


User avatar
fox
^ me reading your posts ^
Posts: 6318
Joined: 27 Aug 2005, 22:53
Location: Saint-Petersburg, Russia
Contact:

Re: PHPMailer Vulnerability CVE-2016-10033

Postby fox » 29 Dec 2016, 07:37

thanks, updated in trunk

Mayhemer
Bear Rating Trainee
Bear Rating Trainee
Posts: 8
Joined: 25 Jan 2014, 15:50

Re: PHPMailer Vulnerability CVE-2016-10033

Postby Mayhemer » 04 Jan 2017, 00:16

The mail plugin seems to be broken, since PHPMailer has been updated. Also my own plugin, which sends mails like the mail plugin does, stopped working. How to use ttrssmailer now?

User avatar
fox
^ me reading your posts ^
Posts: 6318
Joined: 27 Aug 2005, 22:53
Location: Saint-Petersburg, Russia
Contact:

Re: PHPMailer Vulnerability CVE-2016-10033

Postby fox » 04 Jan 2017, 10:34

well first of all thanks for all the effort of providing no details or even error messages

second of all, https://tt-rss.org/gitlab/fox/tt-rss/co ... 7e356c2a27

Mayhemer
Bear Rating Trainee
Bear Rating Trainee
Posts: 8
Joined: 25 Jan 2014, 15:50

Re: PHPMailer Vulnerability CVE-2016-10033

Postby Mayhemer » 04 Jan 2017, 12:04

Well, first of all, thanks for this very kind first contact. I am always happy being able to help ;-)
Second of all, I had 10 minutes time left and I used that to find a more or less appropriate thread to post the information. I had not enough time to investigate more, but I already wanted to tell you about the bug.
Third of all, if someone had asked about more details, I would have been happy to investigate more, when I have a few minutes left.
Fourth and most important of all, the information I provided was sufficient. :-)

My final question is: should I report a bug the next time, even if it is not perfectly investigated or should I avoid that?

PS: There is no offence intended from my side and I am more than happy about the work you do and the great software you provide.

derekschrock
Bear Rating Trainee
Bear Rating Trainee
Posts: 4
Joined: 28 Dec 2016, 10:18

Re: PHPMailer Vulnerability CVE-2016-10033

Postby derekschrock » 16 Jan 2017, 16:21

I guess this is our monthly update to phpmailer.

Can we get another update to phpmailer? https://github.com/PHPMailer/PHPMailer/ ... ag/v5.2.22

This addresses CVE-2017-5223

User avatar
fox
^ me reading your posts ^
Posts: 6318
Joined: 27 Aug 2005, 22:53
Location: Saint-Petersburg, Russia
Contact:

Re: PHPMailer Vulnerability CVE-2016-10033

Postby fox » 16 Jan 2017, 16:27

oh for fucks sake

e: someone please test if it works

Mayhemer
Bear Rating Trainee
Bear Rating Trainee
Posts: 8
Joined: 25 Jan 2014, 15:50

Re: PHPMailer Vulnerability CVE-2016-10033

Postby Mayhemer » 16 Jan 2017, 16:47

Seems to work on my system. Also no suspicious log messages.
I tried the mail plugin and my kindle plugin. Both are working.


Return to “Development”

Who is online

Users browsing this forum: No registered users and 5 guests