Update: Critical Vulnerability In Phpmailer Library. Should Be Fixed Asap

Dear friends,

This topic contains an up-to-date information about critical PHPMailer vulnerability. The old topic can be found here.

A critical issue was found in a third-party program library PHPMailer. The vulnerability allows hackers to create files with any types of content on a server (to learn more: http://thehackernews.com/2016/12/phpmailer-security.html).

This PHPMailer library is used in CS-Cart to send emails. However, internal security systems of CS-Cart prevent to use files as malware PHP-scripts. Thanks to the security it is harder to make use of this vulnerability.

All versions of CS-Cart, starting with 1.2.x, are affected.

Three ways to deal with this vulnerability depending on the version of your CS-Cart:

• If you use CS-Cart/Multi-Vendor version 4.4.2, you will need to upgrade straight to 4.4.2.SP2. This version will be available within next 16 hours.

• If you have already updated your CS-Cart/Multi-Vendor to version 4.4.2.SP1, you will need to upgrade to version 4.4.2.SP2 as well. This version will be available within next 16 hours.

• To those who use earlier versions of CS-Cart we strongly recommend to fix the vulnerability manually by following these simple instructions:

If you have already applied the fix from the old post, then do steps from 1 to 3 only.

For CS-Cart 1.x:
1. Open the file classes/phpmailer/class.phpmailer.php
2. In this file find the line:

$this->Sender = $address;

3. Replace it with the following line:

$this->Sender = escapeshellcmd($address) === $address ? $address : '';

4. Then find another line:

$params = sprintf("-oi -f %s", $this->Sender);

5. And replace it with the following line:

$params = sprintf("-oi -f %s", escapeshellarg($this->Sender));



For CS-Cart 2.x, 3.x:
1. Open the file lib/phpmailer/class.phpmailer.php
2. In this file find the line:

$this->Sender = $address;

3. Replace it with the following line:

$this->Sender = escapeshellcmd($address) === $address ? $address : '';

4. Then find another line:

$params = sprintf("-oi -f %s", $this->Sender);

5. And replace it with the following line:

$params = sprintf("-oi -f %s", escapeshellarg($this->Sender));


For CS-Cart 4.0.x, 4.1.x, 4.2.x:
1. Open the file app/lib/other/phpmailer/class.phpmailer.php
2. In this file find the line:

$this->Sender = $address;

3. Replace it with the following line:

$this->Sender = escapeshellcmd($address) === $address ? $address : '';

4. Then find another line:

$params = sprintf("-oi -f %s", $this->Sender);

5. And replace it with the following line:

$params = sprintf("-oi -f %s", escapeshellarg($this->Sender));



For CS-Cart 4.3.x and 4.4.x:
1. Open the file app/lib/vendor/phpmailer/phpmailer/class.phpmailer.php
2. In this file find the line:

$this->Sender = $address;

3. Replace it with the following line:

$this->Sender = escapeshellcmd($address) === $address ? $address : '';

4. Then find another line:

$params = sprintf('-f%s', $this->Sender);

5. And replace it with the following line:

$params = sprintf('-f%s', escapeshellarg($this->Sender));

I'm not super familiar with phpmailer. Is there any reason to recommend against just dropping in 5.2.21 (official patch). It appears this is supposed to be an ongoing issue for the rest of the week:

Other exploits with other attack vectors will be disclosed at a later date to
allow more time for patching.

https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html

Hi Sergey

In the 135sp4 the line

$this->Sender = $address;

is not to find

Fotis

My site has been compromised for what I believe is this issue. My host has taken my site down as a result.

I have a ticket through the help desk. What else can I do at this point until I hear from them? I have applied the fix as well, for what it's worth at this point.

Thanks,

Carol

Hi Sergey

In the 135sp4 the line

$this->Sender = $address;

is not to find

Fotis

Hi Fotis,

I apologies for the confusion.

It turned out that 1.3.x is not affected by this vulnerability at all.

I'm not super familiar with phpmailer. Is there any reason to recommend against just dropping in 5.2.21 (official patch). It appears this is supposed to be an ongoing issue for the rest of the week:

https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html

When we were working on patch when the official fix from PHPMailer was not ready yet. And our guys were discussing the planned changes: https://github.com/PHPMailer/PHPMailer/pull/929

Besides for most of our clients it is much easier to change two lines than override a number of files, moreover we were not sure that latest PHPMailer library will work with CS-Cart 2.x.x. or 3.0.x

My site has been compromised for what I believe is this issue. My host has taken my site down as a result.

I have a ticket through the help desk. What else can I do at this point until I hear from them? I have applied the fix as well, for what it's worth at this point.

Thanks,

Carol

The first thing should be checked is wether sendmail is used as Mail Agent on your server. Accordingly to this statistics: Mail (MX) Server over 86% web servers in the internet are not affected by this vulnerability. It is because Postfix, Exim do not allow to use vulnerable parameters.

Anyway our tech support will check this for you.

Thanks for being on the ball guys. I applied the fixes.

So...how do I know if my site was compromised before I applied the fixes.

Are there any symptoms I should look for ?

Thanks for being on the ball guys. I applied the fixes.

So...how do I know if my site was compromised before I applied the fixes.

Are there any symptoms I should look for ?

Thank you, termalert.

I would recommend you to check new files in your CS-Cart installation. Use File Changes detector to do this.

Imac, I think it's a good idea to either delete the old post, or put a link to this one in caps and/or edit it so it reflects the correct fix.

Imac, I think it's a good idea to either delete the old post, or put a link to this one in caps and/or edit it so it reflects the correct fix.

Thank you Flow,

Did this.

Thanks Ilya but I am using 4.3.9 and have no intention of upgrading for a while.

How do I use file changes detector if it's not available in my current version ?

I remember way back there was an address bar entry to do it.

Thanks Ilya but I am using 4.3.9 and have no intention of upgrading for a while.

How do I use file changes detector if it's not available in my current version ?

I remember way back there was an address bar entry to do it.

?dispatch=tools.view_changes

Thanks BarryH and Happy New Year.

My New Year present.

The fix stuffed my php mailer and the SMTP is as useful as it ever was.

No outgoing mail at all after phpmailer edit.

I restored to original values. Still no luck.

What really puzzles me now is WHY edit the file.

Why didn't CS-Cart support just provide entire files which could

be substituted ? They are only about 100kb.

I followed the editing instructions correctly yet my mailer is now broken.

No error messages, simply non-function.

Could this update be causing any mail issues on my server? I noticed shortly after I did this fix that 2 things happened. My cart started sending 2 receipts of orders to my email now. And then I am also seeing about a 10 second delay when sending emails through my mail client. Not sure that this would be the cause but just thought it was funny things started acting weird about this time (for the last 2 days). My host doesn't see anything odd happening with my mail server so thought I'd ask.

IsItFast...Happy New Year.

At least your mails are being SENT...lol

Thankfully I have determined that the fault is not mine.
The php mailer non-function occured after CS-Cart support upgraded my store.

Our CS-Cart store only has activity when we promote sales.

CS-Cart upgraded our store on 29 Nov 2016 with no sales until today.

None of today's sales generated advisory emails.

Coincidence ? I think not.

IsItFast...Happy New Year.

At least your mails are being SENT...lol

Thankfully I have determined that the fault is not mine.
The php mailer non-function occured after CS-Cart support upgraded my store.

Our CS-Cart store only has activity when we promote sales.

CS-Cart upgraded our store on 29 Nov 2016 with no sales until today.

None of today's sales generated advisory emails.

Coincidence ? I think not.

did you check your mail.log?

mail.log ?

Not sure where that might be. The php mailer 'appears' to be working

when I do the test recommended by CS-Cart documentation but no

mail is being sent ???

mail.log ?

Not sure where that might be. The php mailer 'appears' to be working

when I do the test recommended by CS-Cart documentation but no

mail is being sent ???

Which mails are not being sent, order statuses /

try filling in a contact us form and see if that sends, it could be the statuses configured wrong ?

I believe Mark means /var/log/maillog file which records inbound mail activity. Instead, on most linux systems, outbound mail is in /var/log/exim_mainlog

There are two things to look at when having mail problems.

1) Is cs-cart actually generating an email (are your cart settings correct for the email method you're using)?

2) Is the email being delivered to the mail transport service

3) and possibly whether it was actually delivered (though that usually requires a bit more skill than most merchants possess).

The first can be easily done by installing our EZ Log Email addon that will place an entry in the Administration/Logs for each email that is sent (I.e. passed to the mail method in use within your cs-cart).

The 2nd relates to the exim_mainlog above.

And the third requires a bit more detailed examination of exim_mainlog and the responses from the remote servers.