Results 1 to 4 of 4

Threaded View

  1. #1
    Join Date
    Jan 2004
    Blog Entries
    Plugin Contributions

    Default Patch: PHPMailer security patch (Dec 2016) for v155c and older

    Yesterday the PHPMailer project received reports of a security bug that could allow malicious users to send unauthorized email through unprotected versions of PHPMailer older than the patched version (5.2.19) they released today Dec 26, 2016.

    UPDATE: See posts below for updated instructions and links to patch files.

    UPDATE 2:
    Our first response to this was to determine how complicated it would be to retrofit older Zen Cart versions to work with the newer PHPMailer, since ZC versions before v1.5.5 used much older versions of PHPMailer not compatible with the infrastructure that brokered handling the actual sending of messages. API structures had changed, etc. So our efforts were focused there initially.
    And when we had those complexities sorted out we pushed out the fixes.

    Subsequent investigation has revealed that much of the actual "vulnerability" in the PHPMailer package has to do with features that Zen Cart doesn't use. And, in fact, save for some plugins that may not all follow strict patterns, in a default configuration Zen Cart is actually pretty immune to the vulnerabilities that precipitated the 2 sudden PHPMailer release updates.

    In this regard, you may ask, "so, why patch then?"
    The answer is twofold:
    First, if we don't patch it, then we'll have an endless stream of people saying "you didn't patch, so ZC must not be secure", without actually finding proof of real vulnerability. False-positive reports waste a lot of time to respond to, and make storeowner experiences unnecessarily complicated.
    Second, there are dozens of important fixes in the newer PHPMailer that old ZC stores can't benefit from if they don't patch. Older stores without the patch can't properly connect to send secure email using modern TLS requirements, so this is an ideal way to get them to function more reliably even if they won't do a proper full version upgrade.

    Okay, that's way more info than anybody needs. You could have been done patching in less time than it took to read these comments.
    Happy selling!
    Last edited by DrByte; 29 Dec 2016 at 07:01 PM. Reason: Added "Update 2"

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donate to: DrByte directly or to the Zen Cart team as a whole

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.



Similar Threads

  1. Replies: 15
    Last Post: 2 Oct 2009, 11:45 AM
  2. 2008 PHPMailer v1.7.2 Vunerability Patch
    By shocker in forum Upgrading from 1.3.x to 1.3.9
    Replies: 1
    Last Post: 16 Jan 2008, 01:26 PM
  3. Replies: 3
    Last Post: 28 May 2006, 08:18 AM


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
Zen-Cart, Internet Selling Services, Klamath Falls, OR