Jump to content

  • You cannot start a new topic
  • This topic is locked This topic is locked

Outdated! Critical Vulnerability In Phpmailer Library. Should Be Fixed Asap Rate Topic   - - - - -

 
  • imac
  • Head of Product
  • CS-Cart Architects
  • Join Date: 22-Nov 05
  • 2074 posts

Posted 27 December 2016 - 04:52 PM #1

Dear friends,
 
This post is OUTDATED, please view the recent one.
 
A critical issue was found in a third-party program library PHPMailer. The vulnerability allows hackers to create files with any types of content on a server (to learn more: http://thehackernews...r-security.html).
 
This PHPMailer library is used in CS-Cart to send emails. However, internal security systems of CS-Cart prevent file exploitation as malware PHP-scripts. Thanks to the security it is harder to make use of this vulnerability.
 
All versions of CS-Cart, starting with 1.2.x, are affected.
 
If you use CS-Cart/Multi-Vendor version 4.4.2, the upgrade to 4.4.2.SP1 will be available within next 16 hours. This update will fix the vulnerability.
 
To those who use earlier versions of CS-Cart we strongly recommend to fix the vulnerability manually by following these simple instructions:
 
For CS-Cart 1.x:
- Open the file classes/phpmailer/class.phpmailer.php 
- In this file find the line: 
$params = sprintf("-oi -f %s", $this->Sender); 
- Replace it with the following line: 
$params = sprintf("-oi -f %s", escapeshellarg($this->Sender)); 
 
For CS-Cart 2.x, 3.x:
- Open the file lib/phpmailer/class.phpmailer.php 
- In this file find the line: 
$params = sprintf("-oi -f %s", $this->Sender); 
- Replace it with the following line: 
$params = sprintf("-oi -f %s", escapeshellarg($this->Sender)); 
 
For CS-Cart 4.0.x, 4.1.x, 4.2.x:
- Open the file  app/lib/other/phpmailer/class.phpmailer.php 
- In this file find the line: 
$params = sprintf("-oi -f %s", $this->Sender); 
- Replace it with the following line:  
$params = sprintf("-oi -f %s", escapeshellarg($this->Sender));

 

For CS-Cart 4.3.x and 4.4.x:

- Open the file app/lib/vendor/phpmailer/phpmailer/class.phpmailer.php 
- In this file find the line: 
$params = sprintf('-f%s', $this->Sender);
- Replace it with the following line: 
$params = sprintf('-f%s', escapeshellarg($this->Sender)); 

Ilya Makarov,
CS-Cart Architect Team
Suggest and vote for new features | Report a bug

 
  • johnbol1
  • Never Re
  • Members
  • Join Date: 23-Feb 10
  • 4644 posts

Posted 27 December 2016 - 05:11 PM #2

Question,

 

I am using 4.,4.2 do I wait for the upgrade or can I use the below and do it now

 

For CS-Cart 4.3.x and 4.4.x:

- Open the file app/lib/vendor/phpmailer/class.phpmailer.php 
- In this file find the line: 

$params = sprintf('-f%s', $this->Sender);

- Replace it with the following line: 
$params = sprintf('-f%s', escapeshellarg($this->Sender)); 

Custom printed hi visibility clothing sale the UK's online hivis safety shop
v4.5.2


 
  • cscartrocks
  • Member
  • Members
  • Join Date: 24-Jan 11
  • 1758 posts

Posted 27 December 2016 - 05:15 PM #3

Should it be:

 

For CS-Cart 4.3.x and 4.4.x:

- Open the file app/lib/vendor/phpmailer/phpmailer/class.phpmailer.php

One Step Checkout Addon - The ultimate checkout experience
Best CS-Cart SEO addon - CS-Cart SEO Ultimate Addon
PM for quality custom work/project


 
  • imac
  • Head of Product
  • CS-Cart Architects
  • Join Date: 22-Nov 05
  • 2074 posts

Posted 27 December 2016 - 05:16 PM #4

 

Question,

 

I am using 4.,4.2 do I wait for the upgrade or can I use the below and do it now

 

For CS-Cart 4.3.x and 4.4.x:

- Open the file app/lib/vendor/phpmailer/class.phpmailer.php 
- In this file find the line: 

$params = sprintf('-f%s', $this->Sender);

- Replace it with the following line: 
$params = sprintf('-f%s', escapeshellarg($this->Sender)); 

 

I would recommend to apply the fix, just because you can do it right now.


Ilya Makarov,
CS-Cart Architect Team
Suggest and vote for new features | Report a bug

 
  • cscartrocks
  • Member
  • Members
  • Join Date: 24-Jan 11
  • 1758 posts

Posted 27 December 2016 - 05:16 PM #5

 

Question,

 

I am using 4.,4.2 do I wait for the upgrade or can I use the below and do it now

 

For CS-Cart 4.3.x and 4.4.x:

- Open the file app/lib/vendor/phpmailer/class.phpmailer.php 
- In this file find the line: 

$params = sprintf('-f%s', $this->Sender);

- Replace it with the following line: 
$params = sprintf('-f%s', escapeshellarg($this->Sender)); 

 

 

You can use this:

 

For CS-Cart 4.3.x and 4.4.x:

- Open the file app/lib/vendor/phpmailer/phpmailer/class.phpmailer.php
 
and make the changes.

One Step Checkout Addon - The ultimate checkout experience
Best CS-Cart SEO addon - CS-Cart SEO Ultimate Addon
PM for quality custom work/project


 
  • imac
  • Head of Product
  • CS-Cart Architects
  • Join Date: 22-Nov 05
  • 2074 posts

Posted 27 December 2016 - 05:18 PM #6

 

Should it be:

 

For CS-Cart 4.3.x and 4.4.x:

- Open the file app/lib/vendor/phpmailer/phpmailer/class.phpmailer.php

 

That's right. Fixed.

Thank you. 


Ilya Makarov,
CS-Cart Architect Team
Suggest and vote for new features | Report a bug

 
  • johnbol1
  • Never Re
  • Members
  • Join Date: 23-Feb 10
  • 4644 posts

Posted 27 December 2016 - 05:19 PM #7

Thanks

 

Done


Custom printed hi visibility clothing sale the UK's online hivis safety shop
v4.5.2


 
  • dvsgr
  • Senior Member
  • Authorized Reseller
  • Join Date: 14-Apr 09
  • 1448 posts

Posted 27 December 2016 - 07:53 PM #8

THank you Ilia for the headsup!


Fotis Kourmadas
Cs-Cart Development - Cs-Cart Authorized Reseller 

 
  • CutRiteFX
  • Senior Member
  • Members
  • Join Date: 02-Jun 08
  • 431 posts

Posted 28 December 2016 - 06:44 AM #9

Quick question. My hosting has blocked all email on my site due to viagra spam ect that my site was sending out. I just found this out today because when someone places an order with my site or hits contact us I am not getting any emails. Godaddy said my site is sending out these emails. Does this mean my site was infected already by this? And if so how to I fix. I have already updated to the SP1 and don't know if this has fixed it or not.


CS-Cart 4.7.4


 
  • imac
  • Head of Product
  • CS-Cart Architects
  • Join Date: 22-Nov 05
  • 2074 posts

Posted 28 December 2016 - 06:57 AM #10

Quick question. My hosting has blocked all email on my site due to viagra spam ect that my site was sending out. I just found this out today because when someone places an order with my site or hits contact us I am not getting any emails. Godaddy said my site is sending out these emails. Does this mean my site was infected already by this? And if so how to I fix. I have already updated to the SP1 and don't know if this has fixed it or not.

Most probably your problem has nothing to do with described vulnerability. But I would recommend you to contact tech support and provide them logs from godaddy.


Ilya Makarov,
CS-Cart Architect Team
Suggest and vote for new features | Report a bug