0022073: Potentially serious RCE vulnerability in bundled PHPMailer before 5.2.18 (CVE-2016-10033) - MantisBT - Signup temporarily disabled due to spam

ID	Project	Category	View Status	Date Submitted	Last Update

0022073	mantisbt	security	public	2016-12-26 05:56	2017-01-16 03:33

Reporter	hanno	Assigned To	dregad
Priority	high	Severity	major	Reproducibility	have not tried
Status	closed	Resolution	fixed
Product Version	1.3.4
Target Version	1.3.5	Fixed in Version	1.3.5

Summary	0022073: Potentially serious RCE vulnerability in bundled PHPMailer before 5.2.18 (CVE-2016-10033)
Description	There has been a report about a serious vulnerability in PHPMailer before 5.2.18: https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html Details at this point are scarce, but it looks like if an attacker can somehow control parts of the usage of a mail sent via PHPMailer he can execute code on the webserver. It is likely to assume that this affects all mantis installations where untrusted users have accounts or where account creation is open to everyone. Both mantis 2.0.0 rc2 and 1.3.4 currently bundle 5.2.15. Please update the bundled version to 5.2.18.
Tags	No tags attached.

atrol 2016-12-26 06:56 developer ~0054827	I had a short look at latest changes of PHPMailer It seems some things are necessary for an attack sendmail is used path to sendmail binary is invalid sender address is invalid We don't offer users to enter sender address. Our sender address is config_get( 'return_path_email' ); So we might not be affected. @dregad, @vboctor I don't see a big problem in updating PHPMailer. Do you think it should be included in 1.3.5?

dregad 2016-12-26 08:08 developer ~0054828	@hanno, thanks for the heads up. @atrol I tend to agree with your analysis, although the vulnerability report is not detailed enough to be 100% sure. That being said, having reviewed at the PHPMailer change log since 5.2.15, I don't think anything has been introduced that would cause issues on our side, so I'll update the submodule to be on the safe side, just in case.

hanno 2016-12-28 04:21 reporter ~0054852	Update, there seems to be another vuln in PHPmailer: https://github.com/PHPMailer/PHPMailer/issues/924 Probably wait for the next update and use that.

atrol 2016-12-28 04:41 developer ~0054853	there seems to be another vuln in PHPmaile I am watching it. The web is full of lurid headlines about this one and the former one at the moment. Probably wait for the next update and use that. I still do not see that MantisBT is affected, but who knows ...

atrol 2016-12-28 05:01 developer ~0054854	From https://github.com/PHPMailer/PHPMailer/issues/924#issuecomment-269452835 Can confirm both CVE-2016-10033 and CVE-2016-10045 are exploitable. 10045 takes a little more thought. Both require that the attacker have control over the sender address

dregad 2016-12-28 12:47 developer ~0054856	I updated 1.3.x and 2.0.x branches to PHPMailer 5.2.21

MantisBT: master-1.3.x ca31358f 2016-12-26 03:32 dregad Details Diff	Update PHPMailer library to 5.2.19 Fixes 0022073 (security issue, CVE-2016-10033)		Affected Issues 0022073
	mod - library/README.md		Diff File
	mod - library/phpmailer		Diff File
MantisBT: master-1.3.x 2d1ce742 2016-12-28 07:39 dregad Details Diff	Update PHPMailer library to 5.2.19 Fixes 0022073 (security issue, CVE-2016-10045)		Affected Issues 0022073
	mod - library/README.md		Diff File
	mod - library/phpmailer		Diff File