[Fixed] command injection of phpmailer ? is this really important? [Xoops Bug Reports]

1

[Fixed] command injection of phpmailer ? is this really important?

2007/6/13 15:51
irmtfan
Module Developer
Posts: 3419
Since: 2003/12/7

today i just see this news at Gijoe website about using "sendmail" in XOOPS
http://xoops.peak.ne.jp/md/news/index.php?page=article&storyid=431

now what can we do. i think some users here should be inform to change this setting in Admin --> "Mail Setup"

Ready for Romance
First Persian Harry Potter Site(English added) | Persian Support Site | Xoops Persian Project

2

Re: command injection of phpmailer ? is this really important?

2007/6/13 16:03
giba
Just can't stay away
Posts: 638
Since: 2003/4/26

Yes irmtfan, this relevant communication.

Thanks.

If soluction for this problem search, send here please.

3

Re: command injection of phpmailer ? is this really important?

2007/6/13 21:54
Tobias
Not too shy to talk
Posts: 172
Since: 2005/9/13

Just to make sure I'm getting it right:

We should use phpmail or SMTP, BUT NOT sendmail?

I'm about 99% sure that that's the point, but perhaps I'm getting lost in translation here.

whttp://www.affvu.org

4

Re: command injection of phpmailer ? is this really important?

2007/6/13 22:04
vaughan
Friend of XOOPS
Posts: 680
Since: 2005/11/26

that's correct.. any other method EXCEPT sendmail.

5

Re: command injection of phpmailer ? is this really important?

2007/6/13 22:15
vaughan
Friend of XOOPS
Posts: 680
Since: 2005/11/26

to fix this issue:

open class/mail/phpmailer/class.phpmailer.php

find on line 391 (xoops 2.0.16)

 if ($this->Sender != "") 
            $sendmail = sprintf("%s -oi -f %s -t", $this->Sendmail, $this->Sender); 
        else 
            $sendmail = sprintf("%s -oi -t", $this->Sendmail);

REPLACE with:

 if ($this->Sender != "") 
        { 
            $sendmail = sprintf("%s -oi -f %s -t", escapeshellcmd($this->Sendmail), escapeshellarg($this->Sender)); 
        } else { 
            $sendmail = sprintf("%s -oi -t", escapeshellcmd($this->Sendmail)); 
        }

voila! now you can use sendmail again safeley :)

6

Re: [Fixed] command injection of phpmailer ? is this really important?

2007/6/13 22:27
vaughan
Friend of XOOPS
Posts: 680
Since: 2005/11/26

i didn't discover the solution.

I got the solution from phpmailer project site, and simply edited the XOOPS class file with their fix..

have submitted it to sf patches tracker.

7

Re: [Fixed] command injection of phpmailer ? is this really important?

2007/6/13 23:00
Tobias
Not too shy to talk
Posts: 172
Since: 2005/9/13

Double or triple thanks, Vaughn. Around line 590 for XOOPS 2.2.

whttp://www.affvu.org

8

Re: [Fixed] command injection of phpmailer ? is this really important?

2007/6/14 10:41
Peekay
XOOPS is my life!
Posts: 2335
Since: 2004/11/20

Why (oh why... ) can we not have a 'security notices' forum like virtually every other CMS community has?.

Then valuable fixes like Vaughn's and the advice in this thread about protecting the XOOPS upload folder could be posted for all to see, not just those that discover these solutions by accident.

A thread is for life. Not just for Christmas.

9

Re: [Fixed] command injection of phpmailer ? is this really important?

2007/6/14 11:19
skenow
Home away from home
Posts: 993
Since: 2004/11/17

Quote:

Peekay wrote:
Why (oh why... ) can we not have a 'security notices' forum like virtually every other CMS community has?.

Then valuable fixes like Vaughn's and the advice in this thread about protecting the XOOPS upload folder could be posted for all to see, not just those that discover these solutions by accident.

There is one at XOOPSinfo - Site and Server Security

Christian Web Master Resources
New SimplyWiki release

10

Re: command injection of phpmailer ? is this really important?

2007/6/14 11:55
Dave_L
XOOPS is my life!
Posts: 2277
Since: 2003/11/7

vaughan, why is $this->Sendmail escaped, since its value is set in the script, and not from user input?

Stats
Goal:	$100.00
Due Date:	Nov 30
Gross Amount:	$0.00
Net Balance:	$0.00
Left to go:	$100.00

[Fixed] command injection of phpmailer ? is this really important?

Re: command injection of phpmailer ? is this really important?

Re: command injection of phpmailer ? is this really important?

Re: command injection of phpmailer ? is this really important?

Re: command injection of phpmailer ? is this really important?

Re: [Fixed] command injection of phpmailer ? is this really important?

Re: [Fixed] command injection of phpmailer ? is this really important?

Re: [Fixed] command injection of phpmailer ? is this really important?

Re: [Fixed] command injection of phpmailer ? is this really important?

Re: command injection of phpmailer ? is this really important?

Login

Search

Recent Posts

XOOPS MyMenus 1.54.0 Beta 10

Re: XOOPS MyMenus 1.54.0 Beta 7

Re: XOOPS MyMenus 1.54.0 Beta 7

Re: XOOPS MyMenus 1.54.0 Beta 7

Re: XOOPS MyMenus 1.54.0 Beta 7

Re: XOOPS MyMenus 1.54.0 Beta 7

Re: XOOPS MyMenus 1.54.0 Beta 7

Re: XOOPS MyMenus 1.54.0 Beta 7

Re: XOOPS MyMenus 1.54.0 Beta 7

Re: XOOPS MyMenus 1.54.0 Beta 7

Who's Online

Donat-O-Meter

Latest GitHub Commits

{{ record.sha.slice(0, 7) }} - {{ record.commit.message | truncate }}