Jump to content

  • You cannot start a new topic
  • You cannot reply to this topic

Update: Critical Vulnerability In Phpmailer Library. Should Be Fixed Asap Rate Topic   - - - - -

 
  • Sergey Markin
  • Architect
  • CS-Cart Architects
  • Join Date: 25-Mar 16
  • 8 posts

Posted 28 December 2016 - 01:14 PM #1

Dear friends,

 

This topic contains an up-to-date information about critical PHPMailer vulnerability. The old topic can be found here.

 

A critical issue was found in a third-party program library PHPMailer. The vulnerability allows hackers to create files with any types of content on a server (to learn more: http://thehackernews...r-security.html).

This PHPMailer library is used in CS-Cart to send emails. However, internal security systems of CS-Cart prevent to use files as malware PHP-scripts. Thanks to the security it is harder to make use of this vulnerability.

All versions of CS-Cart, starting with 1.2.x, are affected.

Three ways to deal with this vulnerability depending on the version of your CS-Cart:

• If you use CS-Cart/Multi-Vendor version 4.4.2, you will need to upgrade straight to 4.4.2.SP2. This version will be available within next 16 hours.

 

• If you have already updated your CS-Cart/Multi-Vendor to version 4.4.2.SP1, you will need to upgrade to version 4.4.2.SP2 as well. This version will be available within next 16 hours.

 

• To those who use earlier versions of CS-Cart we strongly recommend to fix the vulnerability manually by following these simple instructions:

 

If you have already applied the fix from the old post, then do steps from 1 to 3 only.

 

For CS-Cart 1.x:
1. Open the file classes/phpmailer/class.phpmailer.php
2. In this file find the line: 

$this->Sender = $address;

3. Replace it with the following line: 

$this->Sender = escapeshellcmd($address) === $address ? $address : '';

4. Then find another line: 

$params = sprintf("-oi -f %s", $this->Sender);

5. And replace it with the following line: 

$params = sprintf("-oi -f %s", escapeshellarg($this->Sender));



For CS-Cart 2.x, 3.x:
1. Open the file lib/phpmailer/class.phpmailer.php
2. In this file find the line: 

$this->Sender = $address;

3. Replace it with the following line: 

$this->Sender = escapeshellcmd($address) === $address ? $address : '';

4. Then find another line: 

$params = sprintf("-oi -f %s", $this->Sender);

5. And replace it with the following line: 

$params = sprintf("-oi -f %s", escapeshellarg($this->Sender));


For CS-Cart 4.0.x, 4.1.x, 4.2.x:
1. Open the file app/lib/other/phpmailer/class.phpmailer.php
2. In this file find the line: 

$this->Sender = $address;

3. Replace it with the following line: 

$this->Sender = escapeshellcmd($address) === $address ? $address : '';

4. Then find another line: 

$params = sprintf("-oi -f %s", $this->Sender);

5. And replace it with the following line: 

$params = sprintf("-oi -f %s", escapeshellarg($this->Sender));



For CS-Cart 4.3.x and 4.4.x:
1. Open the file app/lib/vendor/phpmailer/phpmailer/class.phpmailer.php
2. In this file find the line: 

$this->Sender = $address;

3. Replace it with the following line: 

$this->Sender = escapeshellcmd($address) === $address ? $address : '';

4. Then find another line: 

$params = sprintf('-f%s', $this->Sender);

5. And replace it with the following line: 

$params = sprintf('-f%s', escapeshellarg($this->Sender));


 
  • sitmgreg
  • Advanced Member
  • Members
  • Join Date: 01-Jun 16
  • 62 posts

Posted 28 December 2016 - 05:12 PM #2

I'm not super familiar with phpmailer. Is there any reason to recommend against just dropping in 5.2.21 (official patch). It appears this is supposed to be an ongoing issue for the rest of the week: 

 

 

Other exploits with other attack vectors will be disclosed at a later date to
allow more time for patching.
 

https://legalhackers...tch-Bypass.html



 
  • dvsgr
  • Senior Member
  • Authorized Reseller
  • Join Date: 14-Apr 09
  • 1442 posts

Posted 28 December 2016 - 05:53 PM #3

Hi Sergey

 

In the 135sp4 the line

 

$this->Sender = $address;

 

is not to find

 

Fotis


Fotis Kourmadas
Cs-Cart Development - Cs-Cart Authorized Reseller 

 
  • cmund
  • Member
  • Members
  • Join Date: 01-Jun 10
  • 129 posts

Posted 28 December 2016 - 08:24 PM #4

My site has been compromised for what I believe is this issue.  My host has taken my site down as a result.  

 

I have a ticket through the help desk.  What else can I do at this point until I hear from them?  I have applied the fix as well, for what it's worth at this point.

 

Thanks,

 

Carol


Version 4.2.4


 
  • imac
  • Head of Product
  • CS-Cart Architects
  • Join Date: 22-Nov 05
  • 2043 posts

Posted 29 December 2016 - 10:37 AM #5

Hi Sergey

 

In the 135sp4 the line

 

$this->Sender = $address;

 

is not to find

 

Fotis

Hi Fotis,

 

I apologies for the confusion.

It turned out that 1.3.x is not affected by this vulnerability at all.


Ilya Makarov,
CS-Cart Architect Team
Suggest and vote for new features | Report a bug

 
  • imac
  • Head of Product
  • CS-Cart Architects
  • Join Date: 22-Nov 05
  • 2043 posts

Posted 29 December 2016 - 10:41 AM #6

I'm not super familiar with phpmailer. Is there any reason to recommend against just dropping in 5.2.21 (official patch). It appears this is supposed to be an ongoing issue for the rest of the week: 

https://legalhackers...tch-Bypass.html

When we were working on patch when the official fix from PHPMailer was not ready yet. And our guys were discussing the planned changes: https://github.com/P...Mailer/pull/929

 

Besides for most of our clients it is much easier to change two lines than override a number of files, moreover we were not sure that latest PHPMailer library will work with CS-Cart 2.x.x. or 3.0.x


Ilya Makarov,
CS-Cart Architect Team
Suggest and vote for new features | Report a bug

 
  • imac
  • Head of Product
  • CS-Cart Architects
  • Join Date: 22-Nov 05
  • 2043 posts

Posted 29 December 2016 - 10:46 AM #7

My site has been compromised for what I believe is this issue.  My host has taken my site down as a result.  

 

I have a ticket through the help desk.  What else can I do at this point until I hear from them?  I have applied the fix as well, for what it's worth at this point.

 

Thanks,

 

Carol

 

The first thing should be checked is wether sendmail is used as Mail Agent on your server. Accordingly to this statistics: Mail (MX) Server over 86% web servers in the internet are not affected by this vulnerability. It is because Postfix, Exim do not allow to use vulnerable parameters.

 

Anyway our tech support will check this for you.


Ilya Makarov,
CS-Cart Architect Team
Suggest and vote for new features | Report a bug

 
  • termalert
  • Senior Member
  • Members
  • Join Date: 14-Jan 09
  • 939 posts

Posted 29 December 2016 - 11:22 AM #8

Thanks for being on the ball guys. I applied the fixes.

So...how do I know if my site was compromised before I applied the fixes.

Are there any symptoms I should look for ?



 
  • imac
  • Head of Product
  • CS-Cart Architects
  • Join Date: 22-Nov 05
  • 2043 posts

Posted 30 December 2016 - 05:48 AM #9

Thanks for being on the ball guys. I applied the fixes.

So...how do I know if my site was compromised before I applied the fixes.

Are there any symptoms I should look for ?

 

Thank you, termalert.

 

I would recommend you to check new files in your CS-Cart installation. Use File Changes detector to do this. 


Ilya Makarov,
CS-Cart Architect Team
Suggest and vote for new features | Report a bug

 
  • Flow
  • Super Duper and Amazingly Sexy Senior
  • Members
  • Join Date: 13-Oct 10
  • 2232 posts

Posted 30 December 2016 - 09:40 AM #10

Imac, I think it's a good idea to either delete the old post, or put a link to this one in caps and/or edit it so it reflects the correct fix. 


When life hands you lemons, bring on the Tequila baby!


 
  • imac
  • Head of Product
  • CS-Cart Architects
  • Join Date: 22-Nov 05
  • 2043 posts

Posted 30 December 2016 - 11:57 AM #11

Imac, I think it's a good idea to either delete the old post, or put a link to this one in caps and/or edit it so it reflects the correct fix. 

Thank you Flow,

Did this.


Ilya Makarov,
CS-Cart Architect Team
Suggest and vote for new features | Report a bug

 
  • termalert
  • Senior Member
  • Members
  • Join Date: 14-Jan 09
  • 939 posts

Posted 30 December 2016 - 11:57 PM #12

Thanks Ilya but I am using 4.3.9 and have no intention of upgrading for a while.

How do I use file changes detector if it's not available in my current version ?

I remember way back there was an address bar entry to do it.



 
  • BarryH
  • Senior Member
  • Members
  • Join Date: 03-Sep 07
  • 1459 posts

Posted 31 December 2016 - 07:56 AM #13

Thanks Ilya but I am using 4.3.9 and have no intention of upgrading for a while.

How do I use file changes detector if it's not available in my current version ?

I remember way back there was an address bar entry to do it.

?dispatch=tools.view_changes


BarryH

 

CS-Cart v4.4.3 (Plus one being developed v4.5.2 SP2)
UK User


 
  • termalert
  • Senior Member
  • Members
  • Join Date: 14-Jan 09
  • 939 posts

Posted 31 December 2016 - 09:46 PM #14

Thanks BarryH and Happy New Year.

 

My New Year present.

The fix stuffed my php mailer and the SMTP is as useful as it ever was.

No outgoing mail at all after phpmailer edit.

I restored to original values. Still no luck.

 

What really puzzles me now is WHY edit the file.

Why didn't CS-Cart support just provide entire files which could

be substituted ? They are only about 100kb.

I followed the editing instructions correctly yet my mailer is now broken.

No error messages, simply non-function.



 
  • IsItFast
  • Senior Member
  • Members
  • Join Date: 16-Sep 08
  • 524 posts

Posted 31 December 2016 - 11:46 PM #15

Could this update be causing any mail issues on my server?  I noticed shortly after I did this fix that 2 things happened.  My cart started sending 2 receipts of orders to my email now.  And then I am also seeing about a 10 second delay when sending emails through my mail client.  Not sure that this would be the cause but just thought it was funny things started acting weird about this time (for the last 2 days).  My host doesn't see anything odd happening with my mail server so thought I'd ask.


V4.3.1 with about 10,000 highly customizable products. Several mods done....some of which now come standard with CS now. (Started with V1.3.5) https://fastdecals.com

V3.0 in a few other small stores.


 
  • termalert
  • Senior Member
  • Members
  • Join Date: 14-Jan 09
  • 939 posts

Posted 01 January 2017 - 12:13 AM #16

IsItFast...Happy New Year.

At least your mails are being SENT...lol

 

Thankfully I have determined that the fault is not mine.
The php mailer non-function occured after CS-Cart support upgraded my store.

 

Our CS-Cart store only has activity when we promote sales.

CS-Cart upgraded our store on 29 Nov 2016 with no sales until today.

None of today's sales generated advisory emails.

Coincidence ? I think not.



 
  • markhedley
  • Advanced Member
  • Trial users
  • Join Date: 19-Nov 16
  • 129 posts

Posted 01 January 2017 - 05:10 AM #17

IsItFast...Happy New Year.

At least your mails are being SENT...lol

 

Thankfully I have determined that the fault is not mine.
The php mailer non-function occured after CS-Cart support upgraded my store.

 

Our CS-Cart store only has activity when we promote sales.

CS-Cart upgraded our store on 29 Nov 2016 with no sales until today.

None of today's sales generated advisory emails.

Coincidence ? I think not.

did you  check your mail.log?



 
  • termalert
  • Senior Member
  • Members
  • Join Date: 14-Jan 09
  • 939 posts

Posted 01 January 2017 - 12:40 PM #18

mail.log ?

Not sure where that might be. The php mailer 'appears' to be working

when I do the test recommended by CS-Cart documentation but no

mail is being sent ???



 
  • johnbol1
  • Never Re
  • Members
  • Join Date: 23-Feb 10
  • 4467 posts

Posted 01 January 2017 - 02:33 PM #19

mail.log ?

Not sure where that might be. The php mailer 'appears' to be working

when I do the test recommended by CS-Cart documentation but no

mail is being sent ???

Which mails are not being sent, order statuses /

try filling in a contact us form and see if that sends, it could be the statuses configured wrong ?


Custom printed hi visibility clothing sale the UK's online hivis safety shop
v4.5.2


 
  • tbirnseth
  • CS Cart Expert
  • Authorized Reseller
  • Join Date: 08-Nov 08
  • 11190 posts

Posted 01 January 2017 - 09:00 PM #20

I believe Mark means /var/log/maillog file which records inbound mail activity.  Instead, on most linux systems, outbound mail is in /var/log/exim_mainlog

 

There are two things to look at when having mail problems.

1) Is cs-cart actually generating an email (are your cart settings correct for the email method you're using)?

2) Is the email being delivered to the mail transport service

3) and possibly whether it was actually delivered (though that usually requires a bit more skill than most merchants possess).

 

The first can be easily done by installing our EZ Log Email addon that will place an entry in the Administration/Logs for each email that is sent (I.e. passed to the mail method in use within your cs-cart).

 

The 2nd relates to the exim_mainlog above.

And the third requires a bit more detailed examination of exim_mainlog and the responses from the remote servers.


EZ Merchant Solutions: Custom (USA based) B2B Development, Consulting, Development and Special Projects (get a quote here).
Commercial addons, payment methods and modifications to meet your business and operations needs.