Re: PHP Mailer exploit Xoops ?
Dev's been busy tracking a moving target (PHPMailer had 4 releases in 2 days.)
Just copying in 5.2.21 won't work for every installation, as there were some changes in how the classes were organized. It should work if the transport is PHP mail(), but other configurations may fail without some changes to XoopsMultiMailer.
But, the vulnerability only affects the PHP mail() transport. If the Email delivery method
configuration is set to SMTP or sendmail, the vulnerability does not apply.
Good description of the bugs at github.com/PHPMailer/PHPMailer/
The issue depends on a user input of the from
address that contains the exploit code. XOOPS core uses a fixed config for the from
address, so that mitigates the risk.
Working out the plans for a security patch. Detail will follow when ready and tested.