Yesterday the PHPMailer project received reports of a security bug that could allow malicious users to send unauthorized email through unprotected versions of PHPMailer older than the patched version (5.2.19) they released today Dec 26, 2016.
UPDATE: See posts below for updated instructions and links to patch files.
UPDATE 2:
Our first response to this was to determine how complicated it would be to retrofit older Zen Cart versions to work with the newer PHPMailer, since ZC versions before v1.5.5 used much older versions of PHPMailer not compatible with the infrastructure that brokered handling the actual sending of messages. API structures had changed, etc. So our efforts were focused there initially.
And when we had those complexities sorted out we pushed out the fixes.
Subsequent investigation has revealed that much of the actual "vulnerability" in the PHPMailer package has to do with features that Zen Cart doesn't use. And, in fact, save for some plugins that may not all follow strict patterns, in a default configuration Zen Cart is actually pretty immune to the vulnerabilities that precipitated the 2 sudden PHPMailer release updates.
In this regard, you may ask, "so, why patch then?"
The answer is twofold:
First, if we don't patch it, then we'll have an endless stream of people saying "you didn't patch, so ZC must not be secure", without actually finding proof of real vulnerability. False-positive reports waste a lot of time to respond to, and make storeowner experiences unnecessarily complicated.
Second, there are dozens of important fixes in the newer PHPMailer that old ZC stores can't benefit from if they don't patch. Older stores without the patch can't properly connect to send secure email using modern TLS requirements, so this is an ideal way to get them to function more reliably even if they won't do a proper full version upgrade.
Okay, that's way more info than anybody needs. You could have been done patching in less time than it took to read these comments.
Happy selling!
Bookmarks