PhpMailer remote exploit - CVE-2016-10033

Discussion regarding Joomla! 3.x security issues.

Moderators: Bernard T, mandville, PhilD, fcoulter, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Bogdan
Joomla! Apprentice
Joomla! Apprentice
Posts: 11
Joined: Sun Oct 16, 2005 3:00 pm
Contact:

PhpMailer remote exploit - CVE-2016-10033

Postby Bogdan » Mon Dec 26, 2016 1:35 pm

Is Joomla vulnerable to this exploit?

I see they released a new version 5.2.18, is it safe to just copy the new PhpMailer to /libraries/vendor/phpmailer/phpmailer/ ? https://github.com/PHPMailer/PHPMailer

zeno
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 121
Joined: Sun Oct 14, 2007 7:16 pm

Re: PhpMailer remote exploit - CVE-2016-10033

Postby zeno » Tue Dec 27, 2016 12:45 am

Some details of the PHPMailer vulnerability as it affects WordPress that may be helpful:

Code: Select all

=https://www.wordfence.com/blog/2016/12/phpmailer-vulnerability/]Critical Vulnerability in PHPMailer. Affects WP Core.

User avatar
mbabker
Joomla! Hero
Joomla! Hero
Posts: 2010
Joined: Sun Feb 28, 2010 8:26 pm
Location: White Bear Lake, MN, USA
Contact:

Re: PhpMailer remote exploit - CVE-2016-10033

Postby mbabker » Tue Dec 27, 2016 2:17 am

Joomla's statement regarding the issue may be found at https://developer.joomla.org/security-c ... isory.html
Production Department Coordinator, Release Lead, CMS Maintainer, Framework Maintainer, Security Team Member, .org System Administrator

Manually updating Joomla? See https://gist.github.com/mbabker/d7bfb4e1e2fbc6b7815a733607f89281

semmel
Joomla! Apprentice
Joomla! Apprentice
Posts: 13
Joined: Wed Dec 10, 2014 10:11 am

Re: PhpMailer remote exploit - CVE-2016-10033

Postby semmel » Tue Dec 27, 2016 2:59 pm

From the statement: "However, extensions which bundle a separate version of PHPMailer or do not use the Joomla API to send email may be vulnerable to this issue"
Is there any list of extensions that do this?

Bogdan
Joomla! Apprentice
Joomla! Apprentice
Posts: 11
Joined: Sun Oct 16, 2005 3:00 pm
Contact:

Re: PhpMailer remote exploit - CVE-2016-10033

Postby Bogdan » Tue Dec 27, 2016 4:16 pm

Search your site for class.phpmailer.php and update all the files from: https://github.com/PHPMailer/PHPMailer

User avatar
fcoulter
Joomla! Ace
Joomla! Ace
Posts: 1359
Joined: Thu Sep 13, 2007 11:39 am
Location: UK
Contact:

Re: PhpMailer remote exploit - CVE-2016-10033

Postby fcoulter » Tue Dec 27, 2016 5:24 pm

Is there any list of extensions that do this?


Yes, it is called the Joomla Vulnerable Extensions List https://vel.joomla.org

So far the VEL team do not know of any extensions that are vulnerable to this, it is very standard among developers to use the Joomla core JMail class to send mail, which, as the JSST advisory states, includes additional validation so is not vulnerable to this.

That said, there may be a few which do include their own version of PHPMailer, we are looking into this, and will list any vulnerable extensions that we find. If you are worried about any extensions that you use, you can check the installation package, look for the PHPMailer library. Or contact the developer and ask. Even if the developer uses their own version of the PHPMailer library it does not automatically mean that the extension is exploitable, the exploit also requires that the user is able to manipulate the sendmail_from address.
http://www.spiralscripts.co.uk for Joomla! extensions
http://www.fionacoulter.com/blog my personal website
Security Forum moderator
VEL team member
"Wearing my tin foil hat with pride"

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 18387
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
Contact:

Re: PhpMailer remote exploit - CVE-2016-10033

Postby leolam » Thu Dec 29, 2016 2:57 am

fcoulter wrote:So far the VEL team do not know of any extensions that are vulnerable to this,
Update: https://vel.joomla.org/component/tags/tag/35-phpmailer

Leo 8)
Celebrating 12-Years of Professional Joomla Support Services
- Joomla Professional Support:https://gws-desk.com -
- Joomla Specialized Hosting Solutions:https://gws-host.com -
- Member Joomla Bug Squad & J-CMS Release Team

User avatar
mbabker
Joomla! Hero
Joomla! Hero
Posts: 2010
Joined: Sun Feb 28, 2010 8:26 pm
Location: White Bear Lake, MN, USA
Contact:

Re: PhpMailer remote exploit - CVE-2016-10033

Postby mbabker » Thu Dec 29, 2016 4:06 am

Just so this is clear too, since the VEL listings won't make this distinction, the simple inclusion of the PHPMailer library is not enough in and of itself to be considered vulnerable. An extension in essence has to expose a field to a frontend user that allows the message's "from" address to be set to a user defined value AND not perform proper validations on that input to be exploitable. Checking one of our client sites, it does look like at least Chronoforms offers a dynamically configurable from address, so that is one of the prerequisites to triggering the issue.

Updating the library is still a good idea either way, but being realistic here (and the same advice is coming from the researcher who has reported the issue to many mailer library maintainers and the PHPMailer team), you're safe as long as you don't take user input and inject it into a PHPMailer message. This is in part why Joomla isn't rushing out a release; the only place in core that this user input exists is the global configuration.
Production Department Coordinator, Release Lead, CMS Maintainer, Framework Maintainer, Security Team Member, .org System Administrator

Manually updating Joomla? See https://gist.github.com/mbabker/d7bfb4e1e2fbc6b7815a733607f89281

User avatar
fcoulter
Joomla! Ace
Joomla! Ace
Posts: 1359
Joined: Thu Sep 13, 2007 11:39 am
Location: UK
Contact:

Re: PhpMailer remote exploit - CVE-2016-10033

Postby fcoulter » Thu Dec 29, 2016 12:03 pm

Thanks for the clarifications Leo and Michael.

Yes, to be clear inclusion on the list means that the extension includes the vulnerable library, not that an exploit actually exists. The VEL do not release information about exploits. You are advised to update as a precaution.

If you have any questions about a particular extension you need to contact the developer.
http://www.spiralscripts.co.uk for Joomla! extensions
http://www.fionacoulter.com/blog my personal website
Security Forum moderator
VEL team member
"Wearing my tin foil hat with pride"

Flayologist
Joomla! Apprentice
Joomla! Apprentice
Posts: 11
Joined: Fri Jan 16, 2015 12:30 am

Re: PhpMailer remote exploit - CVE-2016-10033

Postby Flayologist » Sat Sep 16, 2017 4:12 am

Is there a method to upgrade the phpmailer included in Joomla, to the latest version without updating Joomla itself? We have an extensively modified Joomla install and upgrading now is not an option. It would require about $1000 of code be rewritten and placed into our install...

Perhaps a patch to fix this for version 3.6.5 of joomla?

User avatar
fcoulter
Joomla! Ace
Joomla! Ace
Posts: 1359
Joined: Thu Sep 13, 2007 11:39 am
Location: UK
Contact:

Re: PhpMailer remote exploit - CVE-2016-10033

Postby fcoulter » Sat Sep 16, 2017 10:04 am

I think that the chances of an official patch are zero.

You could try your own patch by simply replacing the version of PHPMailer in libraries/vendor/phpmailer with the latest release, I think it is likely that it will work. There is nothing custom about the version distributed with Joomla so far as I know.

But really this is a classic example of why it is a terrible idea to modify the core files, sooner or later you will need to update and it will be very difficult. However customized you need your site to be, it should be possible to do this using plugins, 3rd party components, template overrides etc - joomla is very flexible. You should not modify the core, and a good developer would not do this, and then charge you $1000 for it.
http://www.spiralscripts.co.uk for Joomla! extensions
http://www.fionacoulter.com/blog my personal website
Security Forum moderator
VEL team member
"Wearing my tin foil hat with pride"

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 33408
Joined: Sat Apr 05, 2008 9:58 pm

Re: PhpMailer remote exploit - CVE-2016-10033

Postby Webdongle » Sat Sep 16, 2017 11:30 am

Flayologist wrote:Is there a method to upgrade the phpmailer included in Joomla, to the latest version without updating Joomla itself? We have an extensively modified Joomla install and upgrading now is not an option. ...
Then you have a major problem. Not long now before you are hacked or your site fails to work. You need to update. Unless your developer was stupid enough to modify Joomla core files then updates should not prevent your site from working.

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 18387
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
Contact:

Re: PhpMailer remote exploit - CVE-2016-10033

Postby leolam » Mon Sep 18, 2017 4:16 pm

In a few days from now the wonderful new Joomla 3.8.0 is going to be released.... You do not want to get a better ranking with the new URL-routing system as example?

You have no choice it seems. Find yourself a developer who uses overrides when making changes... You will have to invest again to be able to use Joomla's latest version or face being hacked soon. (All Joomla versions below Joomla 3.7.5 are highly vulnerable!) You (!) allowed the 'developer' to do it wrong it seems? (we (Joomla) do not make changes to the core to save you US$ 1000..... think that is a real request?)

Leo 8)
Celebrating 12-Years of Professional Joomla Support Services
- Joomla Professional Support:https://gws-desk.com -
- Joomla Specialized Hosting Solutions:https://gws-host.com -
- Member Joomla Bug Squad & J-CMS Release Team


Return to “Security in Joomla! 3.x”

Who is online

Users browsing this forum: No registered users and 2 guests