We have installed Varbase for one of our customers and performed the detailed scanning which has, unfortunately, found the following vulnarability:
/home/username/docroot/modules/contrib/smtp/src/PHPMailer/PHPMailer.php - RCE : CVE-2016-10045, CVE-2016-10031
Checking the version with cat /home/username/docroot/modules/contrib/smtp/src/PHPMailer/PHPMailer.php | grep "| Version:"
gives:
| Version: 5.1
which is really outdated one (since 2016!), because if you read https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10045, then it states:
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code by leveraging improper interaction between the escapeshellarg function and internal escaping performed in the mail function in PHP. NOTE: this vulnerability exists because of an incorrect fix for CVE-2016-10033.
Also https://www.drupal.org/psa-2016-004 recommends:
Versions affected
All versions of the external PHPMailer library < 5.2.18.
Drupal core is not affected. If you do not use the contributed PHPMailer third party library, there is nothing you need to do.
Solution
Upgrade to the newest version of the phpmailler library. https://github.com/PHPMailer/PHPMailer
Would you please consider to modify the relevant dependency, so that Varbase comes with the latest PHPMailer or at least 5.2.20?
Comments
Comment #2
Rajab Natshah CreditAttribution: Rajab Natshah at Vardot commentedThanks Alta for reporting!
The only place is using the PHPMailer is at Drupal Core
core/lib/Drupal/Core/Mail/Plugin/Mail/PhpMail.php
Moving this issue to Drupal Core
Comment #3
AltaGrade CreditAttribution: AltaGrade commentedI am not really sure if it belongs to core since - again - it comes with Varbase as part of contributed SMPT module in the following directory:
docroot/modules/contrib/smtp/src/PHPMailer/PHPMailer.php
Comment #4
Rajab Natshah CreditAttribution: Rajab Natshah at Vardot commentedNo longer using smtp only for legacy and old projects,
It will be removed in the 9.0.x branch
now we are using swiftmailer
Not recommended to enable smtp with swiftmailer
We may move this issue to Varbase Email project to keep track of the issue, if no change or fix needed in Drupal core
Comment #5
cilefen CreditAttribution: cilefen commentedThe thing in Drupal core is not https://github.com/PHPMailer/PHPMailer.
Comment #6
cilefen CreditAttribution: cilefen commentedComment #7
AltaGrade CreditAttribution: AltaGrade commentedIt is really good to know that SMTP module has an issue for the outdated PHPMailer. However, after reading this part:
I have to re-open this ticket, because unfortunately Varbase is not coming with
swiftmailer
. Just run these commands given on https://docs.varbase.vardot.com/getting-started/installing-varbase:and you will see it comes with PHPMailer as part of SMTP by default. I mean we never specified we want specifically SMTP with PHPMailer, we had just followed the official documentation on https://docs.varbase.vardot.com/getting-started/installing-varbase and ended up with SMTP with PHPMailer. So if "No longer using smtp only for legacy and old projects" and, if there is a specific way of installing Varbase with swiftmailer, then either (1) the documentation should be upgraded or (2) the above command (
composer create-project Vardot/varbase-project
) must be fixed so it does not install SMTP with PHPMailer by default, and then you will save lot's of Varbase users from confusion.Comment #8
Rajab Natshah CreditAttribution: Rajab Natshah at Vardot commentedComment #10
Rajab Natshah CreditAttribution: Rajab Natshah at Vardot commentedComment #11
Rajab Natshah CreditAttribution: Rajab Natshah at Vardot commentedComment #12
Rajab Natshah CreditAttribution: Rajab Natshah at Vardot commentedComment #13
Rajab Natshah CreditAttribution: Rajab Natshah at Vardot commentedRemoved the SMTP module.
The documentation will be updated.
Comment #14
Rajab Natshah CreditAttribution: Rajab Natshah at Vardot commentedFeedback by Razem
Reverting this issue
Comment #16
Rajab Natshah CreditAttribution: Rajab Natshah at Vardot commentedComment #17
Rajab Natshah CreditAttribution: Rajab Natshah at Vardot commentedComment #18
Rajab Natshah CreditAttribution: Rajab Natshah at Vardot commentedComment #20
Rajab Natshah CreditAttribution: Rajab Natshah at Vardot commentedComment #21
Rajab Natshah CreditAttribution: Rajab Natshah at Vardot commentedComment #22
TR CreditAttribution: TR commentedThe whole premise of this issue is wrong - the SMTP module does NOT have a security vulnerability. SMTP used to maintain its own version of PHPMailer, based on a very old version of PHPMailer, but this forked version is also NOT vulnerable (the Drupal security team confirmed this - see https://www.drupal.org/psa-2016-004).
(And by the way, if there were a security concern, it is very wrong to post that in an open forum - you should make a private post to the Security issue queue as described in the instructions shown when opening a new issue.)
Also, the current versions of the SMTP module include the latest up-to-date version of PHPMailer, which is also NOT vulnerable.
The issue summary implies that the SMTP module is a security concern, but IT IS NOT.
While you may want to use something other than SMTP in your distribution for other reasons, please don't imply that it's because SMTP is not secure. The SMTP module is a perfectly fine choice for sending emails from Drupal via the SMTP protocol instead of PHP's built-in mail() function.
Comment #23
Rajab Natshah CreditAttribution: Rajab Natshah at Vardot commented