Results 1 to 4 of 4
  1. #1
    Join Date
    Jan 2004
    Posts
    66,364
    Blog Entries
    7
    Plugin Contributions
    274

    Default Patch: PHPMailer security patch (Dec 2016) for v155c and older

    Yesterday the PHPMailer project received reports of a security bug that could allow malicious users to send unauthorized email through unprotected versions of PHPMailer older than the patched version (5.2.19) they released today Dec 26, 2016.

    UPDATE: See posts below for updated instructions and links to patch files.


    UPDATE 2:
    Our first response to this was to determine how complicated it would be to retrofit older Zen Cart versions to work with the newer PHPMailer, since ZC versions before v1.5.5 used much older versions of PHPMailer not compatible with the infrastructure that brokered handling the actual sending of messages. API structures had changed, etc. So our efforts were focused there initially.
    And when we had those complexities sorted out we pushed out the fixes.

    Subsequent investigation has revealed that much of the actual "vulnerability" in the PHPMailer package has to do with features that Zen Cart doesn't use. And, in fact, save for some plugins that may not all follow strict patterns, in a default configuration Zen Cart is actually pretty immune to the vulnerabilities that precipitated the 2 sudden PHPMailer release updates.

    In this regard, you may ask, "so, why patch then?"
    The answer is twofold:
    First, if we don't patch it, then we'll have an endless stream of people saying "you didn't patch, so ZC must not be secure", without actually finding proof of real vulnerability. False-positive reports waste a lot of time to respond to, and make storeowner experiences unnecessarily complicated.
    Second, there are dozens of important fixes in the newer PHPMailer that old ZC stores can't benefit from if they don't patch. Older stores without the patch can't properly connect to send secure email using modern TLS requirements, so this is an ideal way to get them to function more reliably even if they won't do a proper full version upgrade.

    Okay, that's way more info than anybody needs. You could have been done patching in less time than it took to read these comments.
    Happy selling!
    Last edited by DrByte; 29 Dec 2016 at 07:01 PM. Reason: Added "Update 2"
    .

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donate to: DrByte directly or to the Zen Cart team as a whole

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.

  2. #2
    Join Date
    Jan 2004
    Posts
    66,364
    Blog Entries
    7
    Plugin Contributions
    274

    Default Re: Patch: PHPMailer security bug - affects various versions of Zen Cart

    ALERT: Apparently even the PHPMailer 5.2.19 patch may itself contain a critical flaw, so we've removed the patch files for 5.2.19.

    Once they've resolved the issue, we'll publish another patch here, for (probably) 5.2.21


    NOTES on the 5.2.21 patch:

    IF YOU ALREADY APPLIED THE 5.2.19 PATCH, all you need to do is replace the PHPMailer folder, using the PHPMailer 5-2-21-for-includes-classes-vendors.zip patch in the following post.

    To be clear: on v139-v154 if you already updated the supporting files listed below, by applying the previous 5.2.19 patch, then you ONLY need to replace the contents of the PHPMailer folder to re-patch with 5.2.21.
    .

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donate to: DrByte directly or to the Zen Cart team as a whole

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.

  3. #3
    Join Date
    Jan 2004
    Posts
    66,364
    Blog Entries
    7
    Plugin Contributions
    274

    Default Re: Patch: PHPMailer security bug - affects various versions of Zen Cart

    UPDATED WITH NEW PHPMailer 5.2.21 patch files
    UPDATED WITH NEW PHPMailer 5.2.23 patch files

    Patch instructions to update PHPMailer for various Zen Cart versions:

    (I do recommend you make a complete backup of all your PHP files before you do the following patching. You should be making regular backups anyway!)


    v1.5.5a, v155b, v155c: (simple update: just replace the PHPMailer files using the following zip) ("replace" means "remove old, replace with new")
    - unzip and upload the "PHPMailer" folder to /includes/classes/vendors/PHPMailer ... replacing the existing folder there.
    - Here's the zip for v155/v155a/v155b/v155c: PHPMailer-5-2-23-for-includes-classes-vendors.zip


    v1.3.9 to v1.5.4: (numerous additional files to replace in main "includes" folder, using the following zip)
    - unzip the following file: New-PHPMailer-5-2-23-and-support-files-to-update-in-main-includes-folder.zip
    - this will create numerous folders and files, which need to be uploaded to your server, replacing the existing files by the same name:
    - /includes/classes/vendors/PHPMailer/ (this will probably be a new folder for you)
    - /includes/classes/class.phpmailer.php (replace the old one)
    - /includes/classes/class.smtp.php (replace the old one)
    - /includes/functions/functions_email.php (replace the old one)
    - you can delete the now-obsolete /includes/classes/support/ folder.


    (NOTE: for a few hours this zip file had an extra /includes/functions_email.php file (not inside the "functions" folder) which should not have been present. The extra file can be deleted. The zip above is updated.)



    v1.3.8 and older: (upgrade path unknown)
    - It "may" be possible to use the zip for v139-v154 above, but this has NOT been tested on v138. You REALLY should be upgrading to a MODERN version of Zen Cart IMMEDIATELY!!!!



    ... or just upgrade to v1.5.5d https://www.zen-cart.com/getit
    Last edited by DrByte; 12 Apr 2017 at 08:41 PM. Reason: Updated files to 5.2.23
    .

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donate to: DrByte directly or to the Zen Cart team as a whole

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.

  4. #4
    Join Date
    Jan 2004
    Posts
    66,364
    Blog Entries
    7
    Plugin Contributions
    274

    Default Re: Patch: PHPMailer security bug - affects various versions of Zen Cart

    The zip files linked above have been updated to PHPMailer 5.2.23

    If you've already applied a previous version of these patches, then re-patching only requires updating the files in the /includes/classes/vendors/PHPMailer folder and its subdirectories.
    .

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donate to: DrByte directly or to the Zen Cart team as a whole

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.

 

 

Similar Threads

  1. Replies: 15
    Last Post: 2 Oct 2009, 11:45 AM
  2. 2008 PHPMailer v1.7.2 Vunerability Patch
    By shocker in forum Upgrading from 1.3.x to 1.3.9
    Replies: 1
    Last Post: 16 Jan 2008, 01:26 PM
  3. Replies: 3
    Last Post: 28 May 2006, 08:18 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
disjunctive-egg
Zen-Cart, Internet Selling Services, Klamath Falls, OR