Patch: PHPMailer security patch (Dec 2016) for v155c and older
Yesterday the PHPMailer project received reports of a security bug that could allow malicious users to send unauthorized email through unprotected versions of PHPMailer older than the patched version (5.2.19) they released today Dec 26, 2016.
UPDATE: See posts below for updated instructions and links to patch files.
UPDATE 2:
Our first response to this was to determine how complicated it would be to retrofit older Zen Cart versions to work with the newer PHPMailer, since ZC versions before v1.5.5 used much older versions of PHPMailer not compatible with the infrastructure that brokered handling the actual sending of messages. API structures had changed, etc. So our efforts were focused there initially.
And when we had those complexities sorted out we pushed out the fixes.
Subsequent investigation has revealed that much of the actual "vulnerability" in the PHPMailer package has to do with features that Zen Cart doesn't use. And, in fact, save for some plugins that may not all follow strict patterns, in a default configuration Zen Cart is actually pretty immune to the vulnerabilities that precipitated the 2 sudden PHPMailer release updates.
In this regard, you may ask, "so, why patch then?"
The answer is twofold:
First, if we don't patch it, then we'll have an endless stream of people saying "you didn't patch, so ZC must not be secure", without actually finding proof of real vulnerability. False-positive reports waste a lot of time to respond to, and make storeowner experiences unnecessarily complicated.
Second, there are dozens of important fixes in the newer PHPMailer that old ZC stores can't benefit from if they don't patch. Older stores without the patch can't properly connect to send secure email using modern TLS requirements, so this is an ideal way to get them to function more reliably even if they won't do a proper full version upgrade.
Okay, that's way more info than anybody needs. You could have been done patching in less time than it took to read these comments.
Happy selling!
Re: Patch: PHPMailer security bug - affects various versions of Zen Cart
ALERT: Apparently even the PHPMailer 5.2.19 patch may itself contain a critical flaw, so we've removed the patch files for 5.2.19.
Once they've resolved the issue, we'll publish another patch here, for (probably) 5.2.21
NOTES on the 5.2.21 patch:
IF YOU ALREADY APPLIED THE 5.2.19 PATCH, all you need to do is replace the PHPMailer folder, using the PHPMailer 5-2-21-for-includes-classes-vendors.zip patch in the following post.
To be clear: on v139-v154 if you already updated the supporting files listed below, by applying the previous 5.2.19 patch, then you ONLY need to replace the contents of the PHPMailer folder to re-patch with 5.2.21.
Re: Patch: PHPMailer security bug - affects various versions of Zen Cart
UPDATED WITH NEW PHPMailer 5.2.21 patch files
UPDATED WITH NEW PHPMailer 5.2.23 patch files
Patch instructions to update PHPMailer for various Zen Cart versions:
(I do recommend you make a complete backup of all your PHP files before you do the following patching. You should be making regular backups anyway!)
v1.5.5a, v155b, v155c: (simple update: just replace the PHPMailer files using the following zip) ("replace" means "remove old, replace with new")
- unzip and upload the "PHPMailer" folder to /includes/classes/vendors/PHPMailer ... replacing the existing folder there.
- Here's the zip for v155/v155a/v155b/v155c: PHPMailer-5-2-23-for-includes-classes-vendors.zip
v1.3.9 to v1.5.4: (numerous additional files to replace in main "includes" folder, using the following zip)
- unzip the following file: New-PHPMailer-5-2-23-and-support-files-to-update-in-main-includes-folder.zip
- this will create numerous folders and files, which need to be uploaded to your server, replacing the existing files by the same name:
- /includes/classes/vendors/PHPMailer/ (this will probably be a new folder for you)
- /includes/classes/class.phpmailer.php (replace the old one)
- /includes/classes/class.smtp.php (replace the old one)
- /includes/functions/functions_email.php (replace the old one)
- you can delete the now-obsolete /includes/classes/support/ folder.
(NOTE: for a few hours this zip file had an extra /includes/functions_email.php file (not inside the "functions" folder) which should not have been present. The extra file can be deleted. The zip above is updated.)
v1.3.8 and older: (upgrade path unknown)
- It "may" be possible to use the zip for v139-v154 above, but this has NOT been tested on v138. You REALLY should be upgrading to a MODERN version of Zen Cart IMMEDIATELY!!!!
... or just upgrade to v1.5.5d https://www.zen-cart.com/getit
Re: Patch: PHPMailer security bug - affects various versions of Zen Cart
The zip files linked above have been updated to PHPMailer 5.2.23
If you've already applied a previous version of these patches, then re-patching only requires updating the files in the /includes/classes/vendors/PHPMailer folder and its subdirectories.