PHPMailer Vulnerability ?

[Peekay]

Does this affect Zen Cart in any way?

http://sourceforge.net/tracker/index...31&atid=385707

[DrByte]

It could only affect you IF ALL of the following are true:

1. You're using Zen Cart v1.3.6, or v1.3.7

2. You are using the "sendmail" or "Qmail" method for email-transport. (Default is PHP instead).

3. You have allowed folks to edit your PHP files on your server and specifically alter the sendmail executable/binary path.

4. You have a mis-formed "Email-From" address in your Admin->Configuration->Email Options or have allowed folks into your admin area so that they can set a rogue email address for the "email from" setting.


Even so, v1.3.8 will be altered to protect against the vulnerability in this integrated 3rd-party class.

[Peekay]

According to the advisory, there is a fix you can apply:

includes/classes/class.phpmailer.php

replace:

Code:

function SendmailSend($header, $body) {
        if ($this->Sender != "")
        $sendmail = sprintf("%s -oi -f %s -t", $this->Sendmail, $this->Sender);
        else
        $sendmail = sprintf("%s -oi -t", $this->Sendmail);

with:

Code:

function SendmailSend($header, $body) {
         if ($this->Sender != "") {
         $sendmail = sprintf("%s -oi -f %s -t", escapeshellcmd($this->Sendmail), escapeshellarg($this->Sender));
         } else {
         $sendmail = sprintf("%s -oi -t", escapeshellcmd($this->Sendmail));
         }

Backup first, of course.

[DrByte]

According to the advisory, there is a fix you can apply

yes, thanks for pointing that out.
That fix will plug the vulnerability, and is incorporated into v1.3.8, as mentioned:

Even so, v1.3.8 will be altered to protect against the vulnerability in this integrated 3rd-party class.

However, it's important to note that the vulnerability is nearly impossible to trigger if using a default Zen Cart install.

[Peekay]

Thx DrByte.