[MDL-57531] Address the vulnerabilities in recent PHPMailer 5.2.x - Moodle Tracker

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Blocker
Resolution: Fixed
Affects Version/s: 2.7.17, 3.0.7, 3.1.3, 3.2
Fix Version/s: 2.7.18, 3.0.8, 3.1.4, 3.2.1
Component/s: Libraries
Labels:
- ci
- triaged

Affected Branches:
MOODLE_27_STABLE, MOODLE_30_STABLE, MOODLE_31_STABLE, MOODLE_32_STABLE
Fixed Branches:
MOODLE_27_STABLE, MOODLE_30_STABLE, MOODLE_31_STABLE, MOODLE_32_STABLE
Pull from Repository:
git://github.com/mudrd8mz/moodle.git
Pull Master Branch:
~~MDL-57531~~-master-phpmailer
Pull Master Diff URL:
https://github.com/mudrd8mz/moodle/compare/c4cf1c60f5...MDL-57531-master-phpmailer
Testing Instructions:

Hide

On versions 3.1 and below enable emailonlyfromnoreplyaddress.

in admin > server > email > outgoing mail configuration
setting an invalid email address in the noreply address field - ensure that form validation works correctly and an invalid email address cannot be set.

With an invalid noreply set (via config.php or directly in db before this patch)
trigger an e-mail to be sent and check that the noreply address has been set to:
noreply@(SITEURL)

with a valid noreply set, trigger an e-mail to be sent and check that the noreply address has been set to the noreply address configured.

in admin > server > email > outgoing mail configuration
add a new allowed email domain: eg: *.moodle.org
Trigger an e-mail from a user that has a valid *.moodle.org address and check to see if that email is set in the from component of the sent email.
Trigger an e-mail from a user that has a *.moodle.org address that is not valid (changed at db level to something like "moodle@moodle.org>\r\nRCPT TO:<victim@example.com"
check to make sure a debugging message appears when this e-mail is attempted and no e-mail is sent.

Show
On versions 3.1 and below enable emailonlyfromnoreplyaddress. in admin > server > email > outgoing mail configuration setting an invalid email address in the noreply address field - ensure that form validation works correctly and an invalid email address cannot be set. With an invalid noreply set (via config.php or directly in db before this patch) trigger an e-mail to be sent and check that the noreply address has been set to: noreply@(SITEURL) with a valid noreply set, trigger an e-mail to be sent and check that the noreply address has been set to the noreply address configured. in admin > server > email > outgoing mail configuration add a new allowed email domain: eg: *.moodle.org Trigger an e-mail from a user that has a valid *.moodle.org address and check to see if that email is set in the from component of the sent email. Trigger an e-mail from a user that has a *.moodle.org address that is not valid (changed at db level to something like "moodle@moodle.org>\r\nRCPT TO:<victim@example.com" check to make sure a debugging message appears when this e-mail is attempted and no e-mail is sent.

Description

PHPMailer should be updated to 5.2.21+ - was .18 when opening this issue BUT a 0-day vulnerability was found in it: CVE-2016-10045. See more details in the comments too - in all the security supported branches, https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html:

A successful exploitation could let remote attackers to gain access to
the target server in the context of the web server account which could
lead to a full compromise of the web application.

At the time of .18 there was already an exploit but not publicly available but then when .18 was released a public exploit was incorrectly published (then becoming a 0-day vulnerability!): PHPMailer has already patched the code for both the two CVEs.

Please keep care of new properties/features to avoid kind of ~~MDL-52637~~ and ~~MDL-57474~~ issues:

5.2.18 (CVE-2016-10033): https://github.com/PHPMailer/PHPMailer/compare/v5.2.16...PHPMailer:v5.2.18. From what I've seen there should be no issue, including double reading their changelog (PHP 7.1 support in CI is a plus since 5.2.17+).
5.2.21 (CVE-2016-10045): fixes the 0-day vulnearbility added in .18 but added a new functional limit at least when using VERP addresses for the sender when using mail() and not an SMTP host.

Attachments

Issue Links

blocks

MDL-57573 Upgrade PHPMailer to 5.2.23

Closed

has a non-specific relationship to

MDL-28513 Allow specification of admin user email in CLI installer

Closed

has been marked as being related by

MDL-57567 validate_email incorrectly allows repeated dots.

Closed

is duplicated by

MDL-57535 [CVE-2016-10033] PHPMailer < 5.2.18 Remote Code Execution

Closed

Activity

People

Assignee:: David Mudrák (@mudrd8mz)

Reporter:: Matteo Scaramuccia

Peer reviewer:: Dan Marsden

Integrator:: Dan Poltawski

Tester:: Eloy Lafuente (stronk7)

Participants:: CiBoT, Dan Marsden, Dan Poltawski, David Mudrák (@mudrd8mz), Eloy Lafuente (stronk7), James McLean, Matteo Scaramuccia, Peter Bulmer, Rajesh Taneja

Component watchers:: David Woloszyn, Huong Nguyen, Jake Dallimore, Meirza, Michael Hawkins, Raquel Ortega, Safat Shahin, Stevani Andolo

Votes:: 8 Vote for this issue

Watchers:: 24 Start watching this issue

Dates

Created:: 27/Dec/16 1:15 AM

Updated:: 17/Jan/17 8:19 PM

Resolved:: 07/Jan/17 12:56 AM

Fix Release Date:: 9/Jan/17