1
irmtfan
[Fixed] command injection of phpmailer ? is this really important?
  • 2007/6/13 15:51

  • irmtfan

  • Module Developer

  • Posts: 3419

  • Since: 2003/12/7


today i just see this news at Gijoe website about using "sendmail" in XOOPS
http://xoops.peak.ne.jp/md/news/index.php?page=article&storyid=431

now what can we do. i think some users here should be inform to change this setting in Admin --> "Mail Setup"

2
giba
Re: command injection of phpmailer ? is this really important?
  • 2007/6/13 16:03

  • giba

  • Just can't stay away

  • Posts: 638

  • Since: 2003/4/26


Yes irmtfan, this relevant communication.

Thanks.

If soluction for this problem search, send here please.

3
Tobias
Re: command injection of phpmailer ? is this really important?
  • 2007/6/13 21:54

  • Tobias

  • Not too shy to talk

  • Posts: 172

  • Since: 2005/9/13


Just to make sure I'm getting it right:

We should use phpmail or SMTP, BUT NOT sendmail?

I'm about 99% sure that that's the point, but perhaps I'm getting lost in translation here.

4
vaughan
Re: command injection of phpmailer ? is this really important?
  • 2007/6/13 22:04

  • vaughan

  • Friend of XOOPS

  • Posts: 680

  • Since: 2005/11/26


that's correct.. any other method EXCEPT sendmail.

5
vaughan
Re: command injection of phpmailer ? is this really important?
  • 2007/6/13 22:15

  • vaughan

  • Friend of XOOPS

  • Posts: 680

  • Since: 2005/11/26


to fix this issue:

open class/mail/phpmailer/class.phpmailer.php

find on line 391 (xoops 2.0.16)

if ($this->Sender != "")
            
$sendmail sprintf("%s -oi -f %s -t"$this->Sendmail$this->Sender);
        else
            
$sendmail sprintf("%s -oi -t"$this->Sendmail);


REPLACE with:

if ($this->Sender != "")
        {
            
$sendmail sprintf("%s -oi -f %s -t"escapeshellcmd($this->Sendmail), escapeshellarg($this->Sender));
        } else {
            
$sendmail sprintf("%s -oi -t"escapeshellcmd($this->Sendmail));
        }


voila! now you can use sendmail again safeley :)

6
vaughan
Re: [Fixed] command injection of phpmailer ? is this really important?
  • 2007/6/13 22:27

  • vaughan

  • Friend of XOOPS

  • Posts: 680

  • Since: 2005/11/26


i didn't discover the solution.

I got the solution from phpmailer project site, and simply edited the XOOPS class file with their fix..

have submitted it to sf patches tracker.

7
Tobias
Re: [Fixed] command injection of phpmailer ? is this really important?
  • 2007/6/13 23:00

  • Tobias

  • Not too shy to talk

  • Posts: 172

  • Since: 2005/9/13


Double or triple thanks, Vaughn. Around line 590 for XOOPS 2.2.

8
Peekay
Re: [Fixed] command injection of phpmailer ? is this really important?
  • 2007/6/14 10:41

  • Peekay

  • XOOPS is my life!

  • Posts: 2335

  • Since: 2004/11/20


Why (oh why... ) can we not have a 'security notices' forum like virtually every other CMS community has?.

Then valuable fixes like Vaughn's and the advice in this thread about protecting the XOOPS upload folder could be posted for all to see, not just those that discover these solutions by accident.
A thread is for life. Not just for Christmas.

9
skenow
Re: [Fixed] command injection of phpmailer ? is this really important?
  • 2007/6/14 11:19

  • skenow

  • Home away from home

  • Posts: 993

  • Since: 2004/11/17


Quote:

Peekay wrote:
Why (oh why... ) can we not have a 'security notices' forum like virtually every other CMS community has?.

Then valuable fixes like Vaughn's and the advice in this thread about protecting the XOOPS upload folder could be posted for all to see, not just those that discover these solutions by accident.


There is one at XOOPSinfo - Site and Server Security

10
Dave_L
Re: command injection of phpmailer ? is this really important?
  • 2007/6/14 11:55

  • Dave_L

  • XOOPS is my life!

  • Posts: 2277

  • Since: 2003/11/7


vaughan, why is $this->Sendmail escaped, since its value is set in the script, and not from user input?

Login

Who's Online

251 user(s) are online (123 user(s) are browsing Support Forums)


Members: 0


Guests: 251


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits