PHPMailer < 5.2.21 Remote Code Execution: OXID eShop is safe!

Shortly after Christmas, our security team received a notification about an issue with the external PHPMailer library < 5.2.21, which we are using in OXID eShop (all currently supported versions and editions). This issue with the identifier CVE-2016-10033 (reserved) was published on 25th December: https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html.

We immediately started evaluating this issue in order to find out if OXID eShop is affected and this is what our developers came up with:

If using the server side software sendmail, with the shown exploit it would have been possible to infiltrate malicious code into the sender’s address, and this way take over control over the entire server.

Fortunately, in the default delivered installation, OXID eShop is safe even with older PHPMailer versions, as the OXID eShop framework takes care of the input invalidation.

Only if using third party front end modules that do not use the OXID eShop framework by tapping the PHPMailer library directly, this vulnerability might get grasp. However, the good news is, that even if your shop uses such a module, it is very easy to secure it against this vulnerability:

Yesterday afternoon, 28th December, after some disorder, the developers of PHPMailer came up with their version 5.2.21 which is definitely not vulnerable any more. If you want to make 100% sure, please update your OXID eShop installation third party PHPMailer library by replacing

The next patch releases of all supported versions of OXID eShop will definitely contain these new PHPMailer sources.

Thanks to Rüdiger Nitzsche from GN2 Netwerk for immediately reporting this issue using our security issue procedure, to wit writing an e-mail describing the issue to security@, and to all you guys who were keen working on it  despite our annual company holidays!

 

 

 

0.00 avg. rating (0% score) - 0 votes
3 replies
  1. Marco Steinhäuser
    Marco Steinhäuser says:

    [UPDATE 17/1/17]: With CVE-2017-5223 it turned out that there was still a vulnerability in PHPMailer 5.2.21 which was fixed with version 5.2.22. OXID eShop is still not endangered by default installation. But updating the same way as described above is a good idea if you use ‘msgHTML’ in your custom projects.

    Reply

Trackbacks & Pingbacks

  1. […] Due to a security issue, PHPMailer was updated to v5.2.22.   […]

  2. […] Zum Ende des vorangegangenen Jahres wurde eine Sicherheitslücke der PHPMailer-Bibliothek bekannt gegeben. Da diese auch im OXID eShop eingesetzt wird, wurde in einem ausführlichen Beitrag seitens OXID auch eine kurze Anleitung zum Update des PHPMailers auf Version 5.2.21 veröffentlicht. Es wird darauf hingewiesen, dass durch das OXID eShop framework die Basisinstallation trotz dieser Sicherheitslücke absolut sicher ist. Einzig durch externe Frontend-Module, welche die PHPMailer- Bibliothek direkt ansprechen, besteht ein eventuelles Sicherheitsrisiko. Um diese Möglichkeit komplett auszuschließen, wird mitgeteilt, dass die Klassen class.phpmailer.php und class.smtp.php durch die aktuellste Version ausgetauscht werden sollen. (Quelle: https://oxidforge.org/en/phpmailer-5-2-21-remote-code-execution-oxid-eshop-is-safe.html) […]

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *