View Issue Details

Related ChangesetsJump to NotesJump to History
This bug affects 1 person(s).
 260
IDProjectCategoryView StatusDate SubmittedLast Update
12030Bug reportsSecuritypublic2017-01-04 17:412017-01-12 13:02
Reporterjsalmeron Assigned Tomarkusfluer 
PrioritynoneSeveritypartial_block 
Status closedResolutionfixed 
Product Version2.55.x 
Fixed in Version2.58.x 
Summary12030: PHPMailer security issue
Description

On 25.12.2016 a security issue (CVE-2016-10033) was found in the PHPMailer component for versions lower than 5.20. Could you confirm if the application is vulnerable?

More info: https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html

TagsNo tags attached.
Bug heat260
Complete LimeSurvey version number (& build)2.55.x
I will donate to the project if issue is resolvedNo
Browser
Database type & versionmysql
Server OS (if known)Linux
Webserver software & version (if known)Apache
PHP Versionany

Users monitoring this issue

There are no users monitoring this issue.

Activities

DenisChenu

DenisChenu

2017-01-05 08:37

developer   ~42626

https://github.com/LimeSurvey/LimeSurvey/commit/31f2fb7e6c6f455e165cdda6a7fa4f9e68ecda94
asshank

asshank

2017-01-05 10:02

reporter   ~42628

The current lime 170104 version contains 5.2.19!

The correct version is 5.2.21! Not 5.2.19, this is still not save.
DenisChenu

DenisChenu

2017-01-05 11:09

developer   ~42629

Oh right ...

Think https://github.com/LimeSurvey/LimeSurvey/pull/616 was merged
jsalmeron

jsalmeron

2017-01-09 11:04

reporter   ~42674

Is there any ETA for this issue to be fixed? We would need to upgrade as soon as possible. Thanks
c_schmitz

c_schmitz

2017-01-12 12:10

administrator   ~42685

New version released.
jelo

jelo

2017-01-12 12:34

partner   ~42690

So LimeSurvey 2.58.1 build 170113 is now on PHPMailer 5.2.21. BTW: Why 170113 on a 12th Jan release?

5.2.22 is out since 5th Jan. 2017.
Fixes CVE-2017-5223
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5223

Changelog PHPMailer
https://github.com/PHPMailer/PHPMailer/blob/master/changelog.md

As least for multiuser LS installations the threat is high.
Userinput from GET/POST is needed in an email related content field.
As long as PHPmailer cannot be triggered via a deep link directly the last two bugs are not the mega threats. Having a blog with comment fields which triggers phpmailer everytime is a different story. And having many Limesurvey installations on one server with different, untrusted users is a different story too. The former LimeService (don' know what is called now) will need a 5.2.22 update.
DenisChenu

DenisChenu

2017-01-12 12:37

developer   ~42691

@jelo : already reported for 5.2.22 release. We are sure there only admin who can broke security.
c_schmitz

c_schmitz

2017-01-12 12:52

administrator   ~42692

I am sure that not even admins can break security.
DenisChenu

DenisChenu

2017-01-12 13:02

developer   ~42693

<img src="/../../config.php" /> seems the test done https://github.com/PHPMailer/PHPMailer/commit/48e8cac06775d2696cbcfe9b950c484926cc9da3#diff-740525a76c801bb681f23f901454d72bR1014

But : think send are broken here

Related Changesets

LimeSurvey: master 1824438e

2017-01-09 15:16:06

c_schmitz


Committer: GitHub Details Diff 		Merge pull request #616 from tuxmaster/master

Update to 5.2.21 to fix CVE-2016-10045		 Affected Issues
12030
mod - application/third_party/phpmailer/VERSION Diff File
mod - application/third_party/phpmailer/class.phpmailer.php Diff File
mod - application/third_party/phpmailer/class.pop3.php Diff File
mod - application/third_party/phpmailer/class.smtp.php Diff File

Issue History

Date Modified Username Field Change
2017-01-04 17:41 jsalmeron New Issue
2017-01-05 08:37 DenisChenu Assigned To => markusfluer
2017-01-05 08:37 DenisChenu Status new => closed
2017-01-05 08:37 DenisChenu Resolution open => no change required
2017-01-05 08:37 DenisChenu Note Added: 42626
2017-01-05 10:02 asshank Note Added: 42628
2017-01-05 11:09 DenisChenu Status closed => confirmed
2017-01-05 11:09 DenisChenu Note Added: 42629
2017-01-09 11:04 jsalmeron Note Added: 42674
2017-01-09 15:17 c_schmitz Changeset attached => LimeSurvey master 1824438e
2017-01-09 15:17 c_schmitz Status confirmed => resolved
2017-01-09 15:17 c_schmitz Resolution no change required => fixed
2017-01-09 15:17 c_schmitz Fixed in Version => 2.58.x
2017-01-12 12:10 c_schmitz Status resolved => closed
2017-01-12 12:10 c_schmitz Note Added: 42685
2017-01-12 12:34 jelo Note Added: 42690
2017-01-12 12:37 DenisChenu Note Added: 42691
2017-01-12 12:52 c_schmitz Note Added: 42692
2017-01-12 13:02 DenisChenu Note Added: 42693