[Exploit] phpMailer has a security bug - update your scripts.

phpscripts

#1

Hey authors,

Check your scripts for the popular phpMailer library and update to the latest version:

If your scripts do something like this then they are vulnerable:

$phpmailer->setFrom( $_POST['email'] );

This also applies to your live demos, if you let the customer change the sender address in your php app live demo then someone can potentially take over your server.

Just go and update it anyway :slight_smile:


#2

Thanks for the info @dtbaker


#3

Wait for 5.2.20


#4

For Joomla items, at this time is not possible since the Joomla core is not updated with that class version.


#5

This is what Joomla.org says: https://developer.joomla.org/security-centre/668-20161205-phpmailer-security-advisory.html

As Authors maintaining Joomla items, we’re stuck to fix this problem.


#6

@dtbaker I have updated the library, but it throws an error in console:

Warning: escapeshellcmd() has been disabled for security reasons in class.phpmailer.php on line 1442

However, the message delivers successfully. Do you have any idea?


#7

@surjithctly it should be fine, put a error_reporting(0); at the top to stop that hosting warning.


#8

Thank you :slight_smile: