Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-57531

Address the vulnerabilities in recent PHPMailer 5.2.x

XMLWordPrintable

    • MOODLE_27_STABLE, MOODLE_30_STABLE, MOODLE_31_STABLE, MOODLE_32_STABLE
    • MOODLE_27_STABLE, MOODLE_30_STABLE, MOODLE_31_STABLE, MOODLE_32_STABLE
    • MDL-57531-master-phpmailer
    • Hide

      On versions 3.1 and below enable emailonlyfromnoreplyaddress.

      in admin > server > email > outgoing mail configuration
      setting an invalid email address in the noreply address field - ensure that form validation works correctly and an invalid email address cannot be set.

      With an invalid noreply set (via config.php or directly in db before this patch)
      trigger an e-mail to be sent and check that the noreply address has been set to:
      noreply@(SITEURL)

      with a valid noreply set, trigger an e-mail to be sent and check that the noreply address has been set to the noreply address configured.

      in admin > server > email > outgoing mail configuration
      add a new allowed email domain: eg: *.moodle.org
      Trigger an e-mail from a user that has a valid *.moodle.org address and check to see if that email is set in the from component of the sent email.
      Trigger an e-mail from a user that has a *.moodle.org address that is not valid (changed at db level to something like "moodle@moodle.org>\r\nRCPT TO:<victim@example.com"
      check to make sure a debugging message appears when this e-mail is attempted and no e-mail is sent.

      Show
      On versions 3.1 and below enable emailonlyfromnoreplyaddress. in admin > server > email > outgoing mail configuration setting an invalid email address in the noreply address field - ensure that form validation works correctly and an invalid email address cannot be set. With an invalid noreply set (via config.php or directly in db before this patch) trigger an e-mail to be sent and check that the noreply address has been set to: noreply@(SITEURL) with a valid noreply set, trigger an e-mail to be sent and check that the noreply address has been set to the noreply address configured. in admin > server > email > outgoing mail configuration add a new allowed email domain: eg: *.moodle.org Trigger an e-mail from a user that has a valid *.moodle.org address and check to see if that email is set in the from component of the sent email. Trigger an e-mail from a user that has a *.moodle.org address that is not valid (changed at db level to something like "moodle@moodle.org>\r\nRCPT TO:<victim@example.com" check to make sure a debugging message appears when this e-mail is attempted and no e-mail is sent.

      PHPMailer should be updated to 5.2.21+ - was .18 when opening this issue BUT a 0-day vulnerability was found in it: CVE-2016-10045. See more details in the comments too - in all the security supported branches, https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html:

      A successful exploitation could let remote attackers to gain access to
      the target server in the context of the web server account which could
      lead to a full compromise of the web application.

      At the time of .18 there was already an exploit but not publicly available but then when .18 was released a public exploit was incorrectly published (then becoming a 0-day vulnerability!): PHPMailer has already patched the code for both the two CVEs.

      Please keep care of new properties/features to avoid kind of MDL-52637 and MDL-57474 issues:

            mudrd8mz David Mudrák (@mudrd8mz)
            matteo Matteo Scaramuccia
            Dan Marsden Dan Marsden
            Dan Poltawski Dan Poltawski
            Eloy Lafuente (stronk7) Eloy Lafuente (stronk7)
            Votes:
            8 Vote for this issue
            Watchers:
            22 Start watching this issue

              Created:
              Updated:
              Resolved:

                Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.