The version of PHPMailer that is bundled with Zen-Cart is very old, and has security issues. My webhost reports that these holes were actively exploited, which caused them to shut down my site. I have successfully replaced the classes with updated versions, which appear to work fine.
Results 1 to 5 of 5
-
26 Oct 2010, 12:04 PM #1
New Zenner
- Join Date
- Oct 2010
- Posts
- 3
- Plugin Contributions
- 0
Old version of PHPMailer (not a security problem)
-
26 Oct 2010, 08:53 PM #2
Sensei
- Join Date
- Jan 2004
- Posts
- 66,443
- Plugin Contributions
- 279
Re: Old version of PHPMailer with security issues
Which specific "security issues" are you referring to?
Which specific holes were exploited?.
Zen Cart - putting the dream of business ownership within reach of anyone!
Donate to: DrByte directly or to the Zen Cart team as a whole
Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.
-
26 Oct 2010, 09:00 PM #3
New Zenner
- Join Date
- Oct 2010
- Posts
- 3
- Plugin Contributions
- 0
Re: Old version of PHPMailer with security issues
I'm afraid I don't know exactly which security holes they were talking about and how they were exploited. My webhost reported that the class.phpmailer.php is version 1.73 and the class.smtp.php is version 1.02, while the newest version of both is 5.1.
-
26 Oct 2010, 09:03 PM #4
Sensei
- Join Date
- Jan 2004
- Posts
- 66,443
- Plugin Contributions
- 279
Re: Old version of PHPMailer with security issues
There is a known problem in the original class.phpmailer.php version 1.73 file that was originally published, but when we found out about it, we patched it ourselves, thus removing that vulnerability from Zen Cart.
.
Zen Cart - putting the dream of business ownership within reach of anyone!
Donate to: DrByte directly or to the Zen Cart team as a whole
Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.
-
27 Oct 2010, 02:08 PM #5
New Zenner
- Join Date
- Oct 2010
- Posts
- 3
- Plugin Contributions
- 0
Re: Old version of PHPMailer with security issues
My webhost (domeneshop.no, one of Norway's largest hosts) provides some further info:
-----
The problems here are:The problems here are:
1) Zen Cart bundles an apparently unmodified PHPMailer 1.02
(class.smtp.php).
2) For the purpose of automated version recognition, Zen Cart's
home-patched class.phpmailer.php pretends to be a vulnerable
version of PHPMailer: 1.73.
Since the particular problem with PHPMailer 1.73 appears to be
patched, the version number should be increased, or the code
forked to e.g. "Zen Cart PHPMailer" and a separate version
number tree, in order to avoid confusion. The @version string in
the comments is unfortunately not helpful, since the proper
version strings remain unmodified.
The best by far would be to bundle the current version of
PHPMailer - our customers report that PHPMailer 5.1 works well
with Zen Cart.
For the record, we are very happy that someone has worked hard
with improving Zen Cart, which just a few months ago was a
piece of software we recommended our customers avoid, because of
the plethora of security problems related to the product.
1) Zen Cart bundles an apparently unmodified PHPMailer 1.02
(class.smtp.php).
2) For the purpose of automated version recognition, Zen Cart's
home-patched class.phpmailer.php pretends to be a vulnerable
version of PHPMailer: 1.73.
Since the particular problem with PHPMailer 1.73 appears to be
patched, the version number should be increased, or the code
forked to e.g. "Zen Cart PHPMailer" and a separate version
number tree, in order to avoid confusion. The @version string in
the comments is unfortunately not helpful, since the proper
version strings remain unmodified.
The best by far would be to bundle the current version of
PHPMailer - our customers report that PHPMailer 5.1 works well
with Zen Cart.
For the record, we are very happy that someone has worked hard
with improving Zen Cart, which just a few months ago was a
piece of software we recommended our customers avoid, because of
the plethora of security problems related to the product.
Similar Threads
-
v139h USPS NEW version J transit time problem with OLD settings
By WiccanWitch420 in forum Addon Shipping ModulesReplies: 12Last Post: 4 Aug 2013, 11:25 PM -
v138a Shipping address not showing in paypal account on old zc version
By tushar in forum PayPal Express Checkout supportReplies: 0Last Post: 1 Jun 2012, 07:20 AM -
Security Patch - "New Version Available v1.3.8s1" warning does not go away
By davemehta in forum General QuestionsReplies: 4Last Post: 25 Jun 2009, 04:50 AM -
Deleting an old version of a contribution
By gob33 in forum Contribution-Writing GuidelinesReplies: 2Last Post: 30 Mar 2009, 10:16 AM -
phpmailer linefeed problem
By patski in forum General QuestionsReplies: 7Last Post: 23 May 2006, 06:08 PM
