Shortly after Christmas, our security team received a notification about an issue with the external PHPMailer library < 5.2.21, which we are using in OXID eShop (all currently supported versions and editions). This issue with the identifier CVE-2016-10033 (reserved) was published on 25th December: https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html.
We immediately started evaluating this issue in order to find out if OXID eShop is affected and this is what our developers came up with:
If using the server side software sendmail, with the shown exploit it would have been possible to infiltrate malicious code into the sender’s address, and this way take over control over the entire server.
Fortunately, in the default delivered installation, OXID eShop is safe even with older PHPMailer versions, as the OXID eShop framework takes care of the input invalidation.
Only if using third party front end modules that do not use the OXID eShop framework by tapping the PHPMailer library directly, this vulnerability might get grasp. However, the good news is, that even if your shop uses such a module, it is very easy to secure it against this vulnerability:
Yesterday afternoon, 28th December, after some disorder, the developers of PHPMailer came up with their version 5.2.21 which is definitely not vulnerable any more. If you want to make 100% sure, please update your OXID eShop installation third party PHPMailer library by replacing
- /core/phpmailer/class.phpmailer.php with this content and
- /core/phpmailer/class.smtp.php with this content.
The next patch releases of all supported versions of OXID eShop will definitely contain these new PHPMailer sources.
Thanks to Rüdiger Nitzsche from GN2 Netwerk for immediately reporting this issue using our security issue procedure, to wit writing an e-mail describing the issue to security@, and to all you guys who were keen working on it despite our annual company holidays!