Dear friends,
This topic contains an up-to-date information about critical PHPMailer vulnerability. The old topic can be found here.
A critical issue was found in a third-party program library PHPMailer. The vulnerability allows hackers to create files with any types of content on a server (to learn more: http://thehackernews.com/2016/12/phpmailer-security.html).
This PHPMailer library is used in CS-Cart to send emails. However, internal security systems of CS-Cart prevent to use files as malware PHP-scripts. Thanks to the security it is harder to make use of this vulnerability.
All versions of CS-Cart, starting with 1.2.x, are affected.
Three ways to deal with this vulnerability depending on the version of your CS-Cart:
• If you use CS-Cart/Multi-Vendor version 4.4.2, you will need to upgrade straight to 4.4.2.SP2. This version will be available within next 16 hours.
• If you have already updated your CS-Cart/Multi-Vendor to version 4.4.2.SP1, you will need to upgrade to version 4.4.2.SP2 as well. This version will be available within next 16 hours.
• To those who use earlier versions of CS-Cart we strongly recommend to fix the vulnerability manually by following these simple instructions:
If you have already applied the fix from the old post, then do steps from 1 to 3 only.
For CS-Cart 1.x:
1. Open the file classes/phpmailer/class.phpmailer.php
2. In this file find the line:
$this->Sender = $address;
3. Replace it with the following line:
$this->Sender = escapeshellcmd($address) === $address ? $address : '';
4. Then find another line:
$params = sprintf("-oi -f %s", $this->Sender);
5. And replace it with the following line:
$params = sprintf("-oi -f %s", escapeshellarg($this->Sender));
For CS-Cart 2.x, 3.x:
1. Open the file lib/phpmailer/class.phpmailer.php
2. In this file find the line:
$this->Sender = $address;
3. Replace it with the following line:
$this->Sender = escapeshellcmd($address) === $address ? $address : '';
4. Then find another line:
$params = sprintf("-oi -f %s", $this->Sender);
5. And replace it with the following line:
$params = sprintf("-oi -f %s", escapeshellarg($this->Sender));
For CS-Cart 4.0.x, 4.1.x, 4.2.x:
1. Open the file app/lib/other/phpmailer/class.phpmailer.php
2. In this file find the line:
$this->Sender = $address;
3. Replace it with the following line:
$this->Sender = escapeshellcmd($address) === $address ? $address : '';
4. Then find another line:
$params = sprintf("-oi -f %s", $this->Sender);
5. And replace it with the following line:
$params = sprintf("-oi -f %s", escapeshellarg($this->Sender));
For CS-Cart 4.3.x and 4.4.x:
1. Open the file app/lib/vendor/phpmailer/phpmailer/class.phpmailer.php
2. In this file find the line:
$this->Sender = $address;
3. Replace it with the following line:
$this->Sender = escapeshellcmd($address) === $address ? $address : '';
4. Then find another line:
$params = sprintf('-f%s', $this->Sender);
5. And replace it with the following line:
$params = sprintf('-f%s', escapeshellarg($this->Sender));