XOOPS 
Forum
Forum Index General Forums Community Support Modules Support Themes Support Development International Support Module Hack Reviews Theme Designer Talk
  1. Board index / 
  2. General XOOPS.org forums / 
  3. XOOPS.org Members Lounge 
  4.  / PHPMailer is vulnerable to DoS attack
Register
1
LazyBadger
PHPMailer is vulnerable to DoS attack

PHPMailer version 1.72 and below reported as vulnerable to remote DoS-attack
XOOPS now uses ancient 1.65!!!!
Quis custodiet ipsos custodes?

Webmaster of
XOOPS2.RU
XOOPS Modules Proving Ground
XOOPS Themes Exhibition
2
stefan88
Re: PHPMailer is vulnerable to DoS attack

  • 2005/8/4 19:33

  • stefan88

  • Community Support Member

  • Posts: 1086

  • Since: 2004/9/20


Hi,

maybe some of the developers should check this, but I think you could apply the fix:

in file "class.smtp.php" around line 316 after this

while(strlen($line) > $max_line_length) {
$pos strrpos(substr($line,0,$max_line_length)," ");


paste this

# Patch to fix DOS attack
if(!$pos) {
$pos $max_line_length 1;
}


However I DID NOT TESTED this !!!
..
3
LazyBadger
Re: PHPMailer is vulnerable to DoS attack

I done it (exactly) already some time ago

class.phpmailer also was changed in 1.73, here is diff for 72-73

--- class.phpmailer.1.72.php    Fri Dec 03 16:19:36 2004
+++ class.phpmailer.1.73.php    Tue Jul 26 15:32:10 2005
@@ -125,+125,@@
      *  Holds PHPMailer version.
      *  @var string
      */
-    var $Version           "1.72";
+    var $Version           "1.73";
 
     /**
      * Sets the email address that a reading confirmation will be sent.
@@ -740,7 +740,7 @@
         {
            case "alt":
               // fall through
-           case "alt_attachment":
+           case "alt_attachments":
               $this->AltBody = $this->WrapText($this->AltBody, $this->WordWrap);
               break;
            default:
@@ -1087,9 +1087,12 @@
             $this->SetError($this->Lang("file_open") . $path);
             return "";
         }
+        $magic_quotes = get_magic_quotes_runtime();
+        set_magic_quotes_runtime(0);
         $file_buffer = fread($fd, filesize($path));
         $file_buffer = $this->EncodeString($file_buffer, $encoding);
         fclose($fd);
+        set_magic_quotes_runtime($magic_quotes);
 
         return $file_buffer;
     }


Diff for 65-73 is significantly bigger, 70K
Quis custodiet ipsos custodes?

Webmaster of
XOOPS2.RU
XOOPS Modules Proving Ground
XOOPS Themes Exhibition
4
skalpa
Re: PHPMailer is vulnerable to DoS attack

  • 2005/8/4 22:45

  • skalpa

  • Quite a regular

  • Posts: 300

  • Since: 2003/4/16


1) New versions aren't compatible with multibyte character sets.
2) XOOPS is not an e-mail program, phpmailer is used under specific circumstances by the core, most of the time with truncated fields coming from the database.
So we will fix this, but its importance is mitigated.
3) There is a "report core bug" link on the left
Any intelligent fool can make things bigger, and more complex. It takes a touch of genius, a lot of courage, to move in the opposite direction.
Two things are infinite: the universe and human stupidity; and I'm not sure about the 1st one (A.Einstein)

Login

Register now!  |  Lost Password?

Search

Advanced Search

Recent Posts

Who's Online

218 user(s) are online (133 user(s) are browsing Support Forums)

Members: 0

Guests: 218

more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: May 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits