Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-57531

Address the vulnerabilities in recent PHPMailer 5.2.x

    Details

    • Testing Instructions:
      Hide

      On versions 3.1 and below enable emailonlyfromnoreplyaddress.

      in admin > server > email > outgoing mail configuration
      setting an invalid email address in the noreply address field - ensure that form validation works correctly and an invalid email address cannot be set.

      With an invalid noreply set (via config.php or directly in db before this patch)
      trigger an e-mail to be sent and check that the noreply address has been set to:
      noreply@(SITEURL)

      with a valid noreply set, trigger an e-mail to be sent and check that the noreply address has been set to the noreply address configured.

      in admin > server > email > outgoing mail configuration
      add a new allowed email domain: eg: *.moodle.org
      Trigger an e-mail from a user that has a valid *.moodle.org address and check to see if that email is set in the from component of the sent email.
      Trigger an e-mail from a user that has a *.moodle.org address that is not valid (changed at db level to something like "moodle@moodle.org>\r\nRCPT TO:<victim@example.com"
      check to make sure a debugging message appears when this e-mail is attempted and no e-mail is sent.

      Show
      On versions 3.1 and below enable emailonlyfromnoreplyaddress. in admin > server > email > outgoing mail configuration setting an invalid email address in the noreply address field - ensure that form validation works correctly and an invalid email address cannot be set. With an invalid noreply set (via config.php or directly in db before this patch) trigger an e-mail to be sent and check that the noreply address has been set to: noreply@(SITEURL) with a valid noreply set, trigger an e-mail to be sent and check that the noreply address has been set to the noreply address configured. in admin > server > email > outgoing mail configuration add a new allowed email domain: eg: *.moodle.org Trigger an e-mail from a user that has a valid *.moodle.org address and check to see if that email is set in the from component of the sent email. Trigger an e-mail from a user that has a *.moodle.org address that is not valid (changed at db level to something like "moodle@moodle.org>\r\nRCPT TO:<victim@example.com" check to make sure a debugging message appears when this e-mail is attempted and no e-mail is sent.
    • Affected Branches:
      MOODLE_27_STABLE, MOODLE_30_STABLE, MOODLE_31_STABLE, MOODLE_32_STABLE
    • Fixed Branches:
      MOODLE_27_STABLE, MOODLE_30_STABLE, MOODLE_31_STABLE, MOODLE_32_STABLE
    • Pull from Repository:
    • Pull 2.7 Branch:
      MDL-57531-27-phpmailer
    • Pull 3.1 Branch:
      MDL-57531-31-phpmailer
    • Pull 3.2 Branch:
      MDL-57531-32-phpmailer
    • Pull Master Branch:
      MDL-57531-master-phpmailer

      Description

      PHPMailer should be updated to 5.2.21+ - was .18 when opening this issue BUT a 0-day vulnerability was found in it: CVE-2016-10045. See more details in the comments too - in all the security supported branches, https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html:

      A successful exploitation could let remote attackers to gain access to
      the target server in the context of the web server account which could
      lead to a full compromise of the web application.

      At the time of .18 there was already an exploit but not publicly available but then when .18 was released a public exploit was incorrectly published (then becoming a 0-day vulnerability!): PHPMailer has already patched the code for both the two CVEs.

      Please keep care of new properties/features to avoid kind of MDL-52637 and MDL-57474 issues:

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Votes:
                  8 Vote for this issue
                  Watchers:
                  25 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved:
                    Fix Release Date:
                    9/Jan/17