View Issue Details

IDProjectCategoryView StatusLast Update
0022073mantisbtsecuritypublic2017-01-16 03:33
ReporterhannoAssigned Todregad 
PriorityhighSeveritymajorReproducibilityhave not tried
Status closedResolutionfixed 
Product Version1.3.4 
Target Version1.3.5Fixed in Version1.3.5 
Summary0022073: Potentially serious RCE vulnerability in bundled PHPMailer before 5.2.18 (CVE-2016-10033)
Description

There has been a report about a serious vulnerability in PHPMailer before 5.2.18:
https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html

Details at this point are scarce, but it looks like if an attacker can somehow control parts of the usage of a mail sent via PHPMailer he can execute code on the webserver. It is likely to assume that this affects all mantis installations where untrusted users have accounts or where account creation is open to everyone.

Both mantis 2.0.0 rc2 and 1.3.4 currently bundle 5.2.15. Please update the bundled version to 5.2.18.

TagsNo tags attached.

Relationships

related to 0022207 closeddregad Update PHPMailer to 5.2.22 

Activities

atrol

atrol

2016-12-26 06:56

developer   ~0054827

I had a short look at latest changes of PHPMailer

It seems some things are necessary for an attack

  • sendmail is used
  • path to sendmail binary is invalid
  • sender address is invalid

We don't offer users to enter sender address.
Our sender address is config_get( 'return_path_email' );
So we might not be affected.

@dregad, @vboctor
I don't see a big problem in updating PHPMailer.
Do you think it should be included in 1.3.5?

dregad

dregad

2016-12-26 08:08

developer   ~0054828

@hanno, thanks for the heads up.

@atrol I tend to agree with your analysis, although the vulnerability report is not detailed enough to be 100% sure.

That being said, having reviewed at the PHPMailer change log since 5.2.15, I don't think anything has been introduced that would cause issues on our side, so I'll update the submodule to be on the safe side, just in case.

hanno

hanno

2016-12-28 04:21

reporter   ~0054852

Update, there seems to be another vuln in PHPmailer:
https://github.com/PHPMailer/PHPMailer/issues/924

Probably wait for the next update and use that.

atrol

atrol

2016-12-28 04:41

developer   ~0054853

there seems to be another vuln in PHPmaile
I am watching it.
The web is full of lurid headlines about this one and the former one at the moment.

Probably wait for the next update and use that.
I still do not see that MantisBT is affected, but who knows ...

atrol

atrol

2016-12-28 05:01

developer   ~0054854

From https://github.com/PHPMailer/PHPMailer/issues/924#issuecomment-269452835

Can confirm both CVE-2016-10033 and CVE-2016-10045 are exploitable. 10045 takes a little more thought. Both require that the attacker have control over the sender address

dregad

dregad

2016-12-28 12:47

developer   ~0054856

I updated 1.3.x and 2.0.x branches to PHPMailer 5.2.21

Related Changesets

MantisBT: master-1.3.x ca31358f

2016-12-26 08:32:40

dregad

Details Diff
Update PHPMailer library to 5.2.19

Fixes 0022073 (security issue, CVE-2016-10033)
mod - library/README.md Diff File
mod - library/phpmailer Diff File

MantisBT: master-1.3.x 2d1ce742

2016-12-28 12:39:04

dregad

Details Diff
Update PHPMailer library to 5.2.19

Fixes 0022073 (security issue, CVE-2016-10045)
mod - library/README.md Diff File
mod - library/phpmailer Diff File

Issue History

Date Modified Username Field Change
2016-12-26 05:56 hanno New Issue
2016-12-26 06:56 atrol Note Added: 0054827
2016-12-26 08:08 dregad Note Added: 0054828
2016-12-26 08:34 dregad Changeset attached => MantisBT master-1.3.x ca31358f
2016-12-26 08:34 dregad Assigned To => dregad
2016-12-26 08:34 dregad Status new => resolved
2016-12-26 08:34 dregad Resolution open => fixed
2016-12-26 08:34 dregad Fixed in Version => 1.3.5
2016-12-26 08:36 dregad Target Version => 1.3.5
2016-12-26 18:37 dregad View Status private => public
2016-12-28 04:21 hanno Note Added: 0054852
2016-12-28 04:41 atrol Note Added: 0054853
2016-12-28 05:01 atrol Note Added: 0054854
2016-12-28 12:40 dregad Changeset attached => MantisBT master-1.3.x 2d1ce742
2016-12-28 12:47 dregad Note Added: 0054856
2016-12-30 15:54 vboctor Status resolved => closed
2017-01-16 03:33 dregad Relationship added related to 0022207