A report was submitted to the Mantis team this week describing a vulnerability in the PHPMailer class. This class is used by Mantis to send notification emails for issue updates.
The exploit takes advantage of a hole in how PHP implements the internal interface to the sendmail MTA. The setting for the sender address can be used to gain access to system resources. This exploit is described in “PHPMailer 0day remote command execution” and “CVE-2007-3215“.
After reviewing the Mantis code, we determined that this vulnerability does not affect the operation of the tool. We read the sender address from configuration data. To use this exploit, someone would require administrator level access and/or direct access to the database. The probability of exploit is very low. A small patch will be added in the next release to prevent the problem completely.
In general, we recommend using the SMTP mode, rather than sendmail, rather than the local sendmail implementation. Most platforms, (Windows, especially), have problems with the internal PHP implementation of the sendmail. The PHPMailer implementation of SMTP is more robust and slightly faster.
This post was prepared by thraxisp.