photo

Jodi Thierer

shared this problem
3 months ago

Employees Involved

photo

PIV Support

Admin

Statistics

3
Comments
41
Views

Relates to

Share

1
votes

PHPMailer 5.2.14 security vunverablity

Looks like the latest version of Open Reality is running version 5.2.14 which is now being reported at having a remote exploit:

https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html

https://github.com/PHPMailer/PHPMailer/blob/master/SECURITY.md

Will you be providing an update soon or should we proceed with manually updating the files to 5.2.18 in include/class/phpmailer/?

Thanks

Add Comment

Comments (3)

photo Employee
1

Nice find! And minty-fresh too.

I believe you can manually update that library without breaking anything (backup the folder first), but if you want a definitive answer to your questions, or any questions regarding possible exploits, releases, or vulnerabilities you should always contact Transparent Tech directly:

http://www.transparent-support.com/billing/

If you have the Mail System: option in OR's Site Config set to "PHP Mail()" this vulnerability does not affect you, as OR does not include PHPMailer in that situation, and just that library being present is not a problem, a remote attacker needs a form located somewhere on your site that is also using that library to perform the exploit.

photo Employee
1

If you do need to replace the mailer lib, make sure to use a newer 5.2.x version and not v6.x. v6 is apparantly not backward compatible with v5.2.

photo Employee

Leave Comment

photo

Attach files...

The file must be a jpg, gif, png, bmp, ico, pdf, doc, rtf, txt, zip or rar no more than 2M