I'm on mobile so I haven't been able to investigate further with respect to TT-RSS or submit a patch, but since it uses an earlier version of PHPMailer I figured I should share this:
http://thehackernews.com/2016/12/phpmailer-security.html?m=1
Based on how I think TT-RSS works, this should only be exploitable by registered users but nonetheless should probably be patched.
PHPMailer Vulnerability CVE-2016-10033
-
- Bear Rating Overlord
- Posts: 373
- Joined: 20 Aug 2013, 23:13
- fox
- ^ me reading your posts ^
- Posts: 6318
- Joined: 27 Aug 2005, 22:53
- Location: Saint-Petersburg, Russia
- Contact:
Re: PHPMailer Vulnerability CVE-2016-10033
should be updated on gitlab, i tried the plugin and it worked but it would be good if someone tested other mail-related crap (i don't even remember - like, password reset links? something else?)
-
- Bear Rating Trainee
- Posts: 4
- Joined: 28 Dec 2016, 10:18
Re: PHPMailer Vulnerability CVE-2016-10033
Appears there's a follow up vulnerability to the original CVE-2016-10033. Additional updates to the embedded phpmailer might be needed?
https://legalhackers.com/advisories/PHP ... ypass.html
https://legalhackers.com/advisories/PHP ... ypass.html
- fox
- ^ me reading your posts ^
- Posts: 6318
- Joined: 27 Aug 2005, 22:53
- Location: Saint-Petersburg, Russia
- Contact:
Re: PHPMailer Vulnerability CVE-2016-10033
someone post here when that village idiot who couldn't figure out how to send email without executing random code updates his piece of shit library, so i can merge his new attempt into trunk, i guess
the anticipation is killing me
the anticipation is killing me
Re: PHPMailer Vulnerability CVE-2016-10033
I guess the problem only exists, if SMTP_SERVER is empty (so that mail is sent via system MTA).
- fox
- ^ me reading your posts ^
- Posts: 6318
- Joined: 27 Aug 2005, 22:53
- Location: Saint-Petersburg, Russia
- Contact:
Re: PHPMailer Vulnerability CVE-2016-10033
yeah escapeshellargs() would do nothing for an smtp connection
-
- Bear Rating Trainee
- Posts: 4
- Joined: 28 Dec 2016, 10:18
Re: PHPMailer Vulnerability CVE-2016-10033
fox wrote:someone post here when that village idiot who couldn't figure out how to send email without executing random code updates his piece of shit library, so i can merge his new attempt into trunk, i guess
the anticipation is killing me
According to this tag both CVEs have been fixed, https://github.com/PHPMailer/PHPMailer/ ... ag/v5.2.20
- fox
- ^ me reading your posts ^
- Posts: 6318
- Joined: 27 Aug 2005, 22:53
- Location: Saint-Petersburg, Russia
- Contact:
Re: PHPMailer Vulnerability CVE-2016-10033
thanks, updated in trunk
Re: PHPMailer Vulnerability CVE-2016-10033
The mail plugin seems to be broken, since PHPMailer has been updated. Also my own plugin, which sends mails like the mail plugin does, stopped working. How to use ttrssmailer now?
- fox
- ^ me reading your posts ^
- Posts: 6318
- Joined: 27 Aug 2005, 22:53
- Location: Saint-Petersburg, Russia
- Contact:
Re: PHPMailer Vulnerability CVE-2016-10033
well first of all thanks for all the effort of providing no details or even error messages
second of all, https://tt-rss.org/gitlab/fox/tt-rss/co ... 7e356c2a27
second of all, https://tt-rss.org/gitlab/fox/tt-rss/co ... 7e356c2a27
Re: PHPMailer Vulnerability CVE-2016-10033
Well, first of all, thanks for this very kind first contact. I am always happy being able to help 
Second of all, I had 10 minutes time left and I used that to find a more or less appropriate thread to post the information. I had not enough time to investigate more, but I already wanted to tell you about the bug.
Third of all, if someone had asked about more details, I would have been happy to investigate more, when I have a few minutes left.
Fourth and most important of all, the information I provided was sufficient.
My final question is: should I report a bug the next time, even if it is not perfectly investigated or should I avoid that?
PS: There is no offence intended from my side and I am more than happy about the work you do and the great software you provide.

Second of all, I had 10 minutes time left and I used that to find a more or less appropriate thread to post the information. I had not enough time to investigate more, but I already wanted to tell you about the bug.
Third of all, if someone had asked about more details, I would have been happy to investigate more, when I have a few minutes left.
Fourth and most important of all, the information I provided was sufficient.

My final question is: should I report a bug the next time, even if it is not perfectly investigated or should I avoid that?
PS: There is no offence intended from my side and I am more than happy about the work you do and the great software you provide.
-
- Bear Rating Trainee
- Posts: 4
- Joined: 28 Dec 2016, 10:18
Re: PHPMailer Vulnerability CVE-2016-10033
I guess this is our monthly update to phpmailer.
Can we get another update to phpmailer? https://github.com/PHPMailer/PHPMailer/ ... ag/v5.2.22
This addresses CVE-2017-5223
Can we get another update to phpmailer? https://github.com/PHPMailer/PHPMailer/ ... ag/v5.2.22
This addresses CVE-2017-5223
- fox
- ^ me reading your posts ^
- Posts: 6318
- Joined: 27 Aug 2005, 22:53
- Location: Saint-Petersburg, Russia
- Contact:
Re: PHPMailer Vulnerability CVE-2016-10033
oh for fucks sake
e: someone please test if it works
e: someone please test if it works
Re: PHPMailer Vulnerability CVE-2016-10033
Seems to work on my system. Also no suspicious log messages.
I tried the mail plugin and my kindle plugin. Both are working.
I tried the mail plugin and my kindle plugin. Both are working.
Who is online
Users browsing this forum: No registered users and 1 guest