Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-57531

Address the vulnerabilities in recent PHPMailer 5.2.x

    XMLWordPrintable

Details

    • MOODLE_27_STABLE, MOODLE_30_STABLE, MOODLE_31_STABLE, MOODLE_32_STABLE
    • MOODLE_27_STABLE, MOODLE_30_STABLE, MOODLE_31_STABLE, MOODLE_32_STABLE
    • MDL-57531-master-phpmailer
    • Hide

      On versions 3.1 and below enable emailonlyfromnoreplyaddress.

      in admin > server > email > outgoing mail configuration
      setting an invalid email address in the noreply address field - ensure that form validation works correctly and an invalid email address cannot be set.

      With an invalid noreply set (via config.php or directly in db before this patch)
      trigger an e-mail to be sent and check that the noreply address has been set to:
      noreply@(SITEURL)

      with a valid noreply set, trigger an e-mail to be sent and check that the noreply address has been set to the noreply address configured.

      in admin > server > email > outgoing mail configuration
      add a new allowed email domain: eg: *.moodle.org
      Trigger an e-mail from a user that has a valid *.moodle.org address and check to see if that email is set in the from component of the sent email.
      Trigger an e-mail from a user that has a *.moodle.org address that is not valid (changed at db level to something like "moodle@moodle.org>\r\nRCPT TO:<victim@example.com"
      check to make sure a debugging message appears when this e-mail is attempted and no e-mail is sent.

      Show
      On versions 3.1 and below enable emailonlyfromnoreplyaddress. in admin > server > email > outgoing mail configuration setting an invalid email address in the noreply address field - ensure that form validation works correctly and an invalid email address cannot be set. With an invalid noreply set (via config.php or directly in db before this patch) trigger an e-mail to be sent and check that the noreply address has been set to: noreply@(SITEURL) with a valid noreply set, trigger an e-mail to be sent and check that the noreply address has been set to the noreply address configured. in admin > server > email > outgoing mail configuration add a new allowed email domain: eg: *.moodle.org Trigger an e-mail from a user that has a valid *.moodle.org address and check to see if that email is set in the from component of the sent email. Trigger an e-mail from a user that has a *.moodle.org address that is not valid (changed at db level to something like "moodle@moodle.org>\r\nRCPT TO:<victim@example.com" check to make sure a debugging message appears when this e-mail is attempted and no e-mail is sent.

    Description

      PHPMailer should be updated to 5.2.21+ - was .18 when opening this issue BUT a 0-day vulnerability was found in it: CVE-2016-10045. See more details in the comments too - in all the security supported branches, https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html:

      A successful exploitation could let remote attackers to gain access to
      the target server in the context of the web server account which could
      lead to a full compromise of the web application.

      At the time of .18 there was already an exploit but not publicly available but then when .18 was released a public exploit was incorrectly published (then becoming a 0-day vulnerability!): PHPMailer has already patched the code for both the two CVEs.

      Please keep care of new properties/features to avoid kind of MDL-52637 and MDL-57474 issues:

      Attachments

        Issue Links

          Activity

            People

              mudrd8mz David Mudrák (@mudrd8mz)
              matteo Matteo Scaramuccia
              Dan Marsden Dan Marsden
              Dan Poltawski Dan Poltawski
              Eloy Lafuente (stronk7) Eloy Lafuente (stronk7)
              Amaia Anabitarte, Carlos Escobedo, Ferran Recio, Ilya Tregubov, Laurent David, Raquel Ortega, Sara Arjona (@sarjona)
              Votes:
              8 Vote for this issue
              Watchers:
              24 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:
                9/Jan/17