PHPMailer Vulnerability CVE-2016-10033

[JustAMacUser]

I'm on mobile so I haven't been able to investigate further with respect to TT-RSS or submit a patch, but since it uses an earlier version of PHPMailer I figured I should share this:

http://thehackernews.com/2016/12/phpmailer-security.html?m=1

Based on how I think TT-RSS works, this should only be exploitable by registered users but nonetheless should probably be patched.

[fox]

should be updated on gitlab, i tried the plugin and it worked but it would be good if someone tested other mail-related crap (i don't even remember - like, password reset links? something else?)

[derekschrock]

Appears there's a follow up vulnerability to the original CVE-2016-10033. Additional updates to the embedded phpmailer might be needed?

https://legalhackers.com/advisories/PHP ... ypass.html

[fox]

someone post here when that village idiot who couldn't figure out how to send email without executing random code updates his piece of shit library, so i can merge his new attempt into trunk, i guess

the anticipation is killing me

[virgo]

I guess the problem only exists, if SMTP_SERVER is empty (so that mail is sent via system MTA).

[fox]

yeah escapeshellargs() would do nothing for an smtp connection

[derekschrock]

someone post here when that village idiot who couldn't figure out how to send email without executing random code updates his piece of shit library, so i can merge his new attempt into trunk, i guess

the anticipation is killing me

According to this tag both CVEs have been fixed, https://github.com/PHPMailer/PHPMailer/ ... ag/v5.2.20

[fox]

thanks, updated in trunk

[Mayhemer]

The mail plugin seems to be broken, since PHPMailer has been updated. Also my own plugin, which sends mails like the mail plugin does, stopped working. How to use ttrssmailer now?

[fox]

well first of all thanks for all the effort of providing no details or even error messages

second of all, https://tt-rss.org/gitlab/fox/tt-rss/co ... 7e356c2a27

[Mayhemer]

Well, first of all, thanks for this very kind first contact. I am always happy being able to help
Second of all, I had 10 minutes time left and I used that to find a more or less appropriate thread to post the information. I had not enough time to investigate more, but I already wanted to tell you about the bug.
Third of all, if someone had asked about more details, I would have been happy to investigate more, when I have a few minutes left.
Fourth and most important of all, the information I provided was sufficient.

My final question is: should I report a bug the next time, even if it is not perfectly investigated or should I avoid that?

PS: There is no offence intended from my side and I am more than happy about the work you do and the great software you provide.

[derekschrock]

I guess this is our monthly update to phpmailer.

Can we get another update to phpmailer? https://github.com/PHPMailer/PHPMailer/ ... ag/v5.2.22

This addresses CVE-2017-5223

[fox]

oh for fucks sake

e: someone please test if it works

[Mayhemer]

Seems to work on my system. Also no suspicious log messages.
I tried the mail plugin and my kindle plugin. Both are working.