Subject:*
<
Name/Email:*
<
Message Icon:*
<
Select*
<
Message:*
<



Click the Preview to see the content in action.
Options:*
<
Confirmation Code*
<
5 - 4 = ?  
Input the result from the expression
Maximum attempts you can try: 10
*
<
     

Re: PHP Mailer exploit Xoops ?
by geekwright on 2016/12/29 3:51:01

Dev's been busy tracking a moving target (PHPMailer had 4 releases in 2 days.)

Just copying in 5.2.21 won't work for every installation, as there were some changes in how the classes were organized. It should work if the transport is PHP mail(), but other configurations may fail without some changes to XoopsMultiMailer.

But, the vulnerability only affects the PHP mail() transport. If the Email delivery method configuration is set to SMTP or sendmail, the vulnerability does not apply.

Good description of the bugs at github.com/PHPMailer/PHPMailer/

The issue depends on a user input of the from address that contains the exploit code. XOOPS core uses a fixed config for the from address, so that mitigates the risk.

Working out the plans for a security patch. Detail will follow when ready and tested.
Re: PHP Mailer exploit Xoops ?
by Yurdal on 2016/12/28 22:27:54

ok i have found the phpmail directory in Xoops, its inside:

/class/mail/phpmailer i dont hear anything from the developers here so i did this:

First download the last version 5.2.21 from GIT:

https://github.com/PHPMailer/PHPMailer

After that i overwrote the files from the zip with that ones from this map /class/mail/phpmailer

Everything seems fine so i strongly suggest to do this ASAP
PHP Mailer exploit Xoops ?
by Yurdal on 2016/12/28 16:57:55

Have xoops phpmailer included ? if yes will it be updated ?
https://www.exploit-db.com/exploits/40968/

Who's Online

169 user(s) are online (124 user(s) are browsing Support Forums)


Members: 0


Guests: 169


more...

Donat-O-Meter

Stats
Goal: $15.00
Due Date: Jul 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $15.00
Make donations with PayPal!

Latest GitHub Commits