Code injection vulnerability in PHPMailer

mamboline · Post by **mamboline** » Tue May 18, 2021 7:47 am

Hey,

I received a warning from my hosting provider about code injection vulnerability in PHPMailer: /libraries/vendor/phpmailer/phpmailer/class.phpmailer.php

I have the latest Joomla v3.9.26, checked the file "class.phpmailer.php" and it's the same as the original file from the Joomla installation. Found this about PHPMailer vulnerability:

No action required for Joomla users, the updated library will be included in the next scheduled release and additional mechanisms exist in Joomla core to prevent triggering the vulnerability. Users of the PHPMailer library separate from Joomla are advised to upgrade to 5.2.20 or newer ASAP.

Now, I am wondering what to do to fix this and satisfy my hosting provider? From the code, I see Joomla uses PHPMailer v5.2.28, while the current version on GitHub is v6.4.1: https://github.com/PHPMailer/PHPMailer/

Please help.

Thanks,
Milos

mamboline · Post by **mamboline** » Tue May 18, 2021 7:56 am

One more info... My hosting provider uses the Patchman module for cPanel and it lets me "patch" the file I mentioned. I did that. Now I see the file "class.phpmailer.php" is bigger a little bit, and according to my hosting provider, now it's safe.

I am wondering, will this "patch" make something wrong to my Joomla. Also, why Joomla installation doesn't include the safe/patched file rather than the unsafe file?

Thanks again

brian · Post by **brian** » Tue May 18, 2021 8:09 am

Joomla does NOT include an unsafe file.

Richard67 · Post by **Richard67** » Tue May 18, 2021 8:49 pm

There has indeed been reported a security issue, details can be found here: https://cve.mitre.org/cgi-bin/cvename.c ... 2020-36326 .

In Joomla 3 we use version 5 of the PHP Mailer which is not concerned by this issue.

In Joomla 4 we fix security issues in public because it is in Beta phase. For Joomla 4 I have just created this pull request to update the PHP Mailer to version 6.4.1, which is not concerned by that issue: https://github.com/joomla/joomla-cms/pull/33952

Richard67 · Post by **Richard67** » Tue May 18, 2021 10:11 pm

P.S.: The fix for Joomla 4 has just been merged and so will be included in the next nightly builds and versions.

sozzled · Post by **sozzled** » Tue May 18, 2021 10:16 pm

A little off-topic: @Richard67, any estimate of time when a complete package (i.e. *not* a nightly build) for J! 4.0 (Beta 8 or RC) will be released for testing?

Richard67 · Post by **Richard67** » Tue May 18, 2021 10:19 pm

@sozzled I think in May, but that's just my personal guess.

sozzled · Post by **sozzled** » Tue May 18, 2021 10:25 pm

Thanks, @richard67. I've been testing J! 4 Beta 7 for the past three months or more; I never use "nightly builds" because they're highly volatile and not very reliable and, besides, I'm only testing J! 4 on a PC-hosted environment that doesn't have a mail service. So I'm waiting for a fairly "stable" beta or RC before I deploy J! 4 on a commercially-hosted webserver before I can continue further testing.

Richard67 · Post by **Richard67** » Tue May 18, 2021 10:27 pm

We are working hard to get it ready.

The Joomla! Forum™

Code injection vulnerability in PHPMailer

Code injection vulnerability in PHPMailer

Re: Code injection vulnerability in PHPMailer

Re: Code injection vulnerability in PHPMailer

Re: Code injection vulnerability in PHPMailer

Re: Code injection vulnerability in PHPMailer

Re: Code injection vulnerability in PHPMailer

Re: Code injection vulnerability in PHPMailer

Re: Code injection vulnerability in PHPMailer

Re: Code injection vulnerability in PHPMailer