Ecommerce software home
Shopping Cart Software Forum for Ecommerce Templates
Home | Profile | Register | Active Topics | Members | Search | FAQ
Username:
Password:
Save Password
Forgot your Password?



Find us on Facebook

Follow us on Twitter

View our YouTube channel


 All Forums
 Technical
 PHP (Unix / Linux / Apache) versions
 PHPmailer class security issue
 New Topic  Reply to Topic
 Printer Friendly
Author  Topic   

insight
ECT Moderator

USA
4193 Posts

Posted - 12/30/2016 :  13:04:00  
If you use PHPmailer to handle transactional email on your ECT/PHP site (and you should), then be aware of a recently revealed security issue with the mailer class, see here for example https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html

While it's by no means clear that that there is any risk to ECT sites, not all the exploit details have been disclosed yet and you'd be well advised to update the scripts to ensure you stay on the safe side. You can fetch the files from here: https://github.com/PHPMailer/PHPMailer/tree/5.2-stable (hit the green button to download all the project files as a zip file) and you need only upload two files to your /vsadmin/inc directory, class.smtp.php and class.phpmailer.php

Current/latest version is 5.2.21 from 2 days ago and we've tested this with recent ECT versions on sites we manage and found it to work fine

Peter

ServeLink
Professional ecommerce web hosting for ASP & PHP
https://servelink.com

Take a look at our image upload/resize tool for the ASP cart
https://servelink.com/clients/cart?gid=7

Edited by - insight on 03/27/2018 13:58:26

Andy
ECT Moderator

95440 Posts

Posted - 12/30/2016 :  13:11:56  
Thanks for posting Peter. I'll make this a sticky for a few days as with the holiday season it'll give people more of a chance of seeing it.

Andy

Please feel free to review / rate our software

ITZAP
Ecommerce Template Expert

Australia
833 Posts

Posted - 12/30/2016 :  21:06:06  
Good to know !
"Beyond Compare" reveals a bunch of security code modifications in v5.2.21 of class.phpmailer.php and class.smtp.php
No alterations to the short PHPMailerAutoload.php file.

Gary

tgorski
Ecommerce Template Expert

USA
817 Posts

Posted - 05/16/2017 :  05:50:02  
Can we assume this fix does NOT need to be implemented for versions later than 6.0?

Tim Gorski

insight
ECT Moderator

USA
4193 Posts

Posted - 05/16/2017 :  05:58:56  
No, you can't, as the PHPmailer files are not included in the ECT distribution, so whatever version of that you might have bears no relation to your ECT version. You want to be using PHPmailer 5.2.21 or later, current is 5.2.23.

Peter

ServeLink
Professional ecommerce web hosting for ASP & PHP
https://servelink.com

Take a look at our image upload/resize tool for the ASP cart
https://servelink.com/clients/cart?gid=7

Phil
ECT Moderator

United Kingdom
7057 Posts

Posted - 05/27/2017 :  05:34:51  
Hi Tim,
From what I can recall you're not using PHPmailer so unless that's changed you have no need to do anything.



* Database Migrations and Conversions*
* ASP to PHP Cart Conversions*

*Contact Us*
*Buy The PHP Capture Card Plugin*
*Rate Our Services/View Our Feedback*

pauld
Advanced Member

USA
354 Posts

Posted - 07/02/2017 :  05:04:54  
Hi, I believe that the main ECT "Email Troubleshooting" page (https://www.ecommercetemplates.com/help/email-help.asp), under the "Email Authentication using PHPMailer" section heading, still links to the old (not secure) version of PHPmailer.

This created extra work when I pushed the files, then later discovered the vulnerability. And, it seems possible that outdated links could leave others exposed.

Would you consider searching the ECT site for this and other links to the old phpmailer version, and updating these? Thanks in advance.

Old (vulnerable) link: https://github.com/Synchro/PHPMailer

New link: https://github.com/PHPMailer/PHPMailer

Andy
ECT Moderator

95440 Posts

Posted - 07/02/2017 :  05:14:39  
Sorry, Paul - I wasn't aware there was a problem with the old URL but we'll get that changed.

Andy

Please feel free to review / rate our software

insight
ECT Moderator

USA
4193 Posts

Posted - 07/03/2017 :  13:57:04  
Perhaps the three PHPmailer files should be included with the ECT distribution, I don't think there's any problem with that if there's proper attribution. That keeps everyone up to date as they apply updaters, save folks having to rummage around in the unfamiliar environment of a Git repo and avoids the foregoing issue completely.

Peter

ServeLink
Professional ecommerce web hosting for ASP & PHP
https://servelink.com

Take a look at our image upload/resize tool for the ASP cart
https://servelink.com/clients/cart?gid=7

ITZAP
Ecommerce Template Expert

Australia
833 Posts

Posted - 07/03/2017 :  14:27:59  
Top idea Peter.

Gary
   Topic   
 New Topic  Reply to Topic
 Printer Friendly
Jump To:
Shopping Cart Software Forum for Ecommerce Templates © 2002-2019 ecommercetemplates.com
This page was generated in 0.03 seconds. Snitz Forums 2000