Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-57531

Address the vulnerabilities in recent PHPMailer 5.2.x

    Details

    • Testing Instructions:
      Hide

      On versions 3.1 and below enable emailonlyfromnoreplyaddress.

      in admin > server > email > outgoing mail configuration
      setting an invalid email address in the noreply address field - ensure that form validation works correctly and an invalid email address cannot be set.

      With an invalid noreply set (via config.php or directly in db before this patch)
      trigger an e-mail to be sent and check that the noreply address has been set to:
      noreply@(SITEURL)

      with a valid noreply set, trigger an e-mail to be sent and check that the noreply address has been set to the noreply address configured.

      in admin > server > email > outgoing mail configuration
      add a new allowed email domain: eg: *.moodle.org
      Trigger an e-mail from a user that has a valid *.moodle.org address and check to see if that email is set in the from component of the sent email.
      Trigger an e-mail from a user that has a *.moodle.org address that is not valid (changed at db level to something like "moodle@moodle.org>\r\nRCPT TO:<victim@example.com"
      check to make sure a debugging message appears when this e-mail is attempted and no e-mail is sent.

      Show
      On versions 3.1 and below enable emailonlyfromnoreplyaddress. in admin > server > email > outgoing mail configuration setting an invalid email address in the noreply address field - ensure that form validation works correctly and an invalid email address cannot be set. With an invalid noreply set (via config.php or directly in db before this patch) trigger an e-mail to be sent and check that the noreply address has been set to: noreply@(SITEURL) with a valid noreply set, trigger an e-mail to be sent and check that the noreply address has been set to the noreply address configured. in admin > server > email > outgoing mail configuration add a new allowed email domain: eg: *.moodle.org Trigger an e-mail from a user that has a valid *.moodle.org address and check to see if that email is set in the from component of the sent email. Trigger an e-mail from a user that has a *.moodle.org address that is not valid (changed at db level to something like "moodle@moodle.org>\r\nRCPT TO:<victim@example.com" check to make sure a debugging message appears when this e-mail is attempted and no e-mail is sent.
    • Affected Branches:
      MOODLE_27_STABLE, MOODLE_30_STABLE, MOODLE_31_STABLE, MOODLE_32_STABLE
    • Fixed Branches:
      MOODLE_27_STABLE, MOODLE_30_STABLE, MOODLE_31_STABLE, MOODLE_32_STABLE
    • Pull from Repository:
    • Pull 2.7 Branch:
      MDL-57531-27-phpmailer
    • Pull 3.1 Branch:
      MDL-57531-31-phpmailer
    • Pull 3.2 Branch:
      MDL-57531-32-phpmailer
    • Pull Master Branch:
      MDL-57531-master-phpmailer

      Description

      PHPMailer should be updated to 5.2.21+ - was .18 when opening this issue BUT a 0-day vulnerability was found in it: CVE-2016-10045. See more details in the comments too - in all the security supported branches, https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html:

      A successful exploitation could let remote attackers to gain access to
      the target server in the context of the web server account which could
      lead to a full compromise of the web application.

      At the time of .18 there was already an exploit but not publicly available but then when .18 was released a public exploit was incorrectly published (then becoming a 0-day vulnerability!): PHPMailer has already patched the code for both the two CVEs.

      Please keep care of new properties/features to avoid kind of MDL-52637 and MDL-57474 issues:

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

              matteo Matteo Scaramuccia created issue -
              mudrd8mz David Mudrák made changes -
              Field Original Value New Value
              Assignee David Mudrák [ mudrd8mz ]
              mudrd8mz David Mudrák made changes -
              Status Open [ 1 ] Development in progress [ 3 ]
              mudrd8mz David Mudrák made changes -
              Labels triaged
              mudrd8mz David Mudrák made changes -
              Link This issue is duplicated by MDL-57534 [ MDL-57534 ]
              mudrd8mz David Mudrák made changes -
              Link This issue is duplicated by MDL-57535 [ MDL-57535 ]
              mudrd8mz David Mudrák made changes -
              Security Serious security issue [ 10000 ]
              mudrd8mz David Mudrák made changes -
              Summary Upgrade PHPMailer to 5.2.18 Upgrade PHPMailer to latest 5.2.x
              poltawski Dan Poltawski made changes -
              Link This issue is duplicated by MDL-57539 [ MDL-57539 ]
              poltawski Dan Poltawski made changes -
              Link This issue is duplicated by MDL-57541 [ MDL-57541 ]
              poltawski Dan Poltawski made changes -
              Priority Minor [ 4 ] Blocker [ 1 ]
              matteo Matteo Scaramuccia made changes -
              Link This issue has a non-specific relationship to MDL-28513 [ MDL-28513 ]
              matteo Matteo Scaramuccia made changes -
              Description PHPMailer should be updated to 5.2.18 in all the security supported branches, https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html:
              {quote}
              A successful exploitation could let remote attackers to gain access to
              the target server in the context of the web server account which could
              lead to a full compromise of the web application.
              {quote}

              There is already an exploit but not publicly available: PHPMailer has already patched the code.

              Please keep care of new properties/features to avoid kind of MDL-52637: https://github.com/PHPMailer/PHPMailer/compare/v5.2.16...PHPMailer:v5.2.18. From what I've seen there should be no issue, including double reading their [changelog|https://github.com/PHPMailer/PHPMailer/blob/master/changelog.md] (PHP 7.1 support in CI is a plus since 5.2.17+).
              PHPMailer should be updated to _5.2.21+_ (was _.18_ but a [_0-day vulnerability_|https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities#act-ii] was found in it: CVE-2016-10045. See more details in the comments too) in all the security supported branches, https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html:
              {quote}
              A successful exploitation could let remote attackers to gain access to
              the target server in the context of the web server account which could
              lead to a full compromise of the web application.
              {quote}

              At the time of _.18_ there is already an exploit but not publicly available but then when _.18_ was released a public exploit (0-day) was incorrectly published: PHPMailer has already patched the code for both the two CVEs.

              Please keep care of new properties/features to avoid kind of MDL-52637 and .

              * _5.2.18_: https://github.com/PHPMailer/PHPMailer/compare/v5.2.16...PHPMailer:v5.2.18. From what I've seen there should be no issue, including double reading their [changelog|https://github.com/PHPMailer/PHPMailer/blob/master/changelog.md] (PHP 7.1 support in CI is a plus since 5.2.17+).
              * _5.2.21_: fixes the 0-day vulnearbility added in _.18_.
              matteo Matteo Scaramuccia made changes -
              Description PHPMailer should be updated to _5.2.21+_ (was _.18_ but a [_0-day vulnerability_|https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities#act-ii] was found in it: CVE-2016-10045. See more details in the comments too) in all the security supported branches, https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html:
              {quote}
              A successful exploitation could let remote attackers to gain access to
              the target server in the context of the web server account which could
              lead to a full compromise of the web application.
              {quote}

              At the time of _.18_ there is already an exploit but not publicly available but then when _.18_ was released a public exploit (0-day) was incorrectly published: PHPMailer has already patched the code for both the two CVEs.

              Please keep care of new properties/features to avoid kind of MDL-52637 and .

              * _5.2.18_: https://github.com/PHPMailer/PHPMailer/compare/v5.2.16...PHPMailer:v5.2.18. From what I've seen there should be no issue, including double reading their [changelog|https://github.com/PHPMailer/PHPMailer/blob/master/changelog.md] (PHP 7.1 support in CI is a plus since 5.2.17+).
              * _5.2.21_: fixes the 0-day vulnearbility added in _.18_.
              PHPMailer should be updated to _5.2.21+_ - was _.18_ when opening this issue BUT a [_0-day vulnerability_|https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities#act-ii] was found in it: CVE-2016-10045. See more details in the comments too - in all the security supported branches, https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html:
              {quote}
              A successful exploitation could let remote attackers to gain access to
              the target server in the context of the web server account which could
              lead to a full compromise of the web application.
              {quote}

              At the time of _.18_ there was already an exploit but not publicly available but then when _.18_ was released a public exploit was incorrectly published (then becoming a *0-day* vulnerability!): PHPMailer has already patched the code for both the two CVEs.

              Please keep care of new properties/features to avoid kind of MDL-52637 and MDL-57474 issues:

              - _5.2.18_ (CVE-2016-10033): https://github.com/PHPMailer/PHPMailer/compare/v5.2.16...PHPMailer:v5.2.18. From what I've seen there should be no issue, including double reading their [changelog|https://github.com/PHPMailer/PHPMailer/blob/master/changelog.md] (PHP 7.1 support in CI is a plus since 5.2.17+).
              - _5.2.21_ (CVE-2016-10045): [fixes|https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities] the 0-day vulnearbility added in _.18_ but added a new functional limit at least when using VERP addresses for the sender when using {{mail()}} and not an SMTP host.
              matteo Matteo Scaramuccia made changes -
              Description PHPMailer should be updated to _5.2.21+_ - was _.18_ when opening this issue BUT a [_0-day vulnerability_|https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities#act-ii] was found in it: CVE-2016-10045. See more details in the comments too - in all the security supported branches, https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html:
              {quote}
              A successful exploitation could let remote attackers to gain access to
              the target server in the context of the web server account which could
              lead to a full compromise of the web application.
              {quote}

              At the time of _.18_ there was already an exploit but not publicly available but then when _.18_ was released a public exploit was incorrectly published (then becoming a *0-day* vulnerability!): PHPMailer has already patched the code for both the two CVEs.

              Please keep care of new properties/features to avoid kind of MDL-52637 and MDL-57474 issues:

              - _5.2.18_ (CVE-2016-10033): https://github.com/PHPMailer/PHPMailer/compare/v5.2.16...PHPMailer:v5.2.18. From what I've seen there should be no issue, including double reading their [changelog|https://github.com/PHPMailer/PHPMailer/blob/master/changelog.md] (PHP 7.1 support in CI is a plus since 5.2.17+).
              - _5.2.21_ (CVE-2016-10045): [fixes|https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities] the 0-day vulnearbility added in _.18_ but added a new functional limit at least when using VERP addresses for the sender when using {{mail()}} and not an SMTP host.
              PHPMailer should be updated to _5.2.21+_ - was _.18_ when opening this issue BUT a [_0-day vulnerability_|https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities#act-ii] was found in it: CVE-2016-10045. See more details in the comments too - in all the security supported branches, https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html:
              {quote}
              A successful exploitation could let remote attackers to gain access to
              the target server in the context of the web server account which could
              lead to a full compromise of the web application.
              {quote}

              At the time of _.18_ there was already an exploit but not publicly available but then when _.18_ was released a public exploit was incorrectly published (then becoming a *0-day* vulnerability!): PHPMailer has already patched the code for both the two CVEs.

              Please keep care of new properties/features to avoid kind of MDL-52637 and MDL-57474 issues:

              - _5.2.18_ (CVE-2016-10033): https://github.com/PHPMailer/PHPMailer/compare/v5.2.16...PHPMailer:v5.2.18. From what I've seen there should be no issue, including double reading their [changelog|https://github.com/PHPMailer/PHPMailer/blob/master/changelog.md] (PHP 7.1 support in CI is a plus since 5.2.17+).
              - _5.2.21_ (CVE-2016-10045): [fixes|https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities] the 0-day vulnearbility added in _.18_ but added a new functional limit at least when [using VERP addresses|https://github.com/PHPMailer/PHPMailer/issues/944] for the sender when using {{mail()}} and not an SMTP host.
              poltawski Dan Poltawski made changes -
              Link This issue is duplicated by MDL-57559 [ MDL-57559 ]
              mudrd8mz David Mudrák made changes -
              mudrd8mz David Mudrák made changes -
              Summary Upgrade PHPMailer to latest 5.2.x Address the vulnerabilities in recent PHPMailer 5.2.x
              danmarsden Dan Marsden made changes -
              Testing Instructions in admin > server > email > outgoing mail configuration
              setting an invalid email address in the noreply address field - ensure that form validation works correctly and an invalid email address cannot be set.

              With an invalid noreply set (via config.php or directly in db before this patch)
              trigger an e-mail to be sent and check that the noreply address has been set to:
              noreply@(SITEURL)

              with a valid noreply set, trigger an e-mail to be sent and check that the noreply address has been set to the noreply address configured.

              in admin > server > email > outgoing mail configuration
              add a new allowed email domain: eg: *.moodle.org
              Trigger an e-mail from a user that has a valid *.moodle.org address and check to see if that email is set in the from component of the sent email.
              Trigger an e-mail from a user that has a *.moodle.org address that is not valid (changed at db level to something like "moodle@moodle.org>\r\nRCPT TO:<victim@example.com"
              check to make sure a debugging message appears when this e-mail is attempted and no e-mail is sent.
              danmarsden Dan Marsden made changes -
              Status Development in progress [ 3 ] Waiting for integration review [ 10010 ]
              danmarsden Dan Marsden made changes -
              Peer reviewer Dan Marsden [ danmarsden ]
              cibot CiBoT made changes -
              Labels triaged ci triaged
              danmarsden Dan Marsden made changes -
              Link This issue has been marked as being related by MDL-57567 [ MDL-57567 ]
              poltawski Dan Poltawski made changes -
              Status Waiting for integration review [ 10010 ] Integration review in progress [ 10004 ]
              Integrator Dan Poltawski [ poltawski ]
              Currently in integration Yes [ 10041 ]
              mudrd8mz David Mudrák made changes -
              mudrd8mz David Mudrák made changes -
              mudrd8mz David Mudrák made changes -
              mudrd8mz David Mudrák made changes -
              Labels ci triaged ci cime triaged
              cibot CiBoT made changes -
              Labels ci cime triaged ci triaged
              poltawski Dan Poltawski made changes -
              Status Integration review in progress [ 10004 ] Waiting for testing [ 10005 ]
              Affects Version/s 3.3 [ 15552 ]
              Fix Version/s 2.7.18 [ 15653 ]
              Fix Version/s 3.0.8 [ 15654 ]
              Fix Version/s 3.1.4 [ 15655 ]
              Fix Version/s 3.2.1 [ 15659 ]
              poltawski Dan Poltawski made changes -
              Testing Instructions in admin > server > email > outgoing mail configuration
              setting an invalid email address in the noreply address field - ensure that form validation works correctly and an invalid email address cannot be set.

              With an invalid noreply set (via config.php or directly in db before this patch)
              trigger an e-mail to be sent and check that the noreply address has been set to:
              noreply@(SITEURL)

              with a valid noreply set, trigger an e-mail to be sent and check that the noreply address has been set to the noreply address configured.

              in admin > server > email > outgoing mail configuration
              add a new allowed email domain: eg: *.moodle.org
              Trigger an e-mail from a user that has a valid *.moodle.org address and check to see if that email is set in the from component of the sent email.
              Trigger an e-mail from a user that has a *.moodle.org address that is not valid (changed at db level to something like "moodle@moodle.org>\r\nRCPT TO:<victim@example.com"
              check to make sure a debugging message appears when this e-mail is attempted and no e-mail is sent.
              On versions 3.1 and below enable emailonlyfromnoreplyaddress.

              in admin > server > email > outgoing mail configuration
              setting an invalid email address in the noreply address field - ensure that form validation works correctly and an invalid email address cannot be set.

              With an invalid noreply set (via config.php or directly in db before this patch)
              trigger an e-mail to be sent and check that the noreply address has been set to:
              noreply@(SITEURL)

              with a valid noreply set, trigger an e-mail to be sent and check that the noreply address has been set to the noreply address configured.

              in admin > server > email > outgoing mail configuration
              add a new allowed email domain: eg: *.moodle.org
              Trigger an e-mail from a user that has a valid *.moodle.org address and check to see if that email is set in the from component of the sent email.
              Trigger an e-mail from a user that has a *.moodle.org address that is not valid (changed at db level to something like "moodle@moodle.org>\r\nRCPT TO:<victim@example.com"
              check to make sure a debugging message appears when this e-mail is attempted and no e-mail is sent.
              poltawski Dan Poltawski made changes -
              Status Waiting for testing [ 10005 ] Testing in progress [ 10011 ]
              Tester Dan Poltawski [ poltawski ]
              stronk7 Eloy Lafuente (stronk7) made changes -
              Tester Dan Poltawski [ poltawski ] Eloy Lafuente (stronk7) [ stronk7 ]
              poltawski Dan Poltawski made changes -
              Link This issue blocks MDL-57573 [ MDL-57573 ]
              rajeshtaneja Rajesh Taneja made changes -
              Status Testing in progress [ 10011 ] Problem during testing [ 10007 ]
              poltawski Dan Poltawski made changes -
              Status Problem during testing [ 10007 ] Waiting for testing [ 10005 ]
              poltawski Dan Poltawski made changes -
              Status Waiting for testing [ 10005 ] Testing in progress [ 10011 ]
              poltawski Dan Poltawski made changes -
              Status Testing in progress [ 10011 ] Tested [ 10006 ]
              poltawski Dan Poltawski made changes -
              Status Tested [ 10006 ] Closed [ 6 ]
              Integration date 06/Jan/17
              Currently in integration Yes [ 10041 ]
              Resolution Fixed [ 1 ]
              marina Marina Glancy made changes -
              Link This issue has been marked as being related by MDL-57555 [ MDL-57555 ]

                People

                • Votes:
                  8 Vote for this issue
                  Watchers:
                  25 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved:
                    Fix Release Date:
                    9/Jan/17