Bug#504255: CVE-2007-3215: remote shell command execution in class.phpmailer.php

Sun, 02 Nov 2008 03:22:53 -0800 

Le dimanche 02 novembre 2008 à 00:56 -0600, Raphael Geissert a écrit :

> Hi,
> 
> The following CVE (Common Vulnerabilities & Exposures) id was published for 
> PHPMailer, which affects the embedded copy shipped in 
> phpgroupware-felamimail[0].
> 
> CVE-2007-3215[1]:
> > PHPMailer 1.7, when configured to use sendmail, allows remote attackers to
> > execute arbitrary shell commands via shell metacharacters in the
> > SendmailSend function in class.phpmailer.php.
> 
> The patch for class.phpmailer.php can be found at [2]. However, it would be 
> better if phpgroupware-felamimail just depended on libphp-phpmailer (also 
> available in etch) and the include/require calls changed to use the copy 
> provided by that package, to avoid shipping yet another embedded code copy.
> 
> If you fix the vulnerability please also make sure to include the CVE id in 
> the changelog entry.
> 
> [0] usr/share/phpgroupware/felamimail/inc/class.phpmailer.inc.php
> [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3215
>      http://security-tracker.debian.net/tracker/CVE-2007-3215
> [2]http://sourceforge.net/tracker/index.php?func=detail&aid=1734811&group_id=26031&atid=385707
> 

Thanks for spotting this problem.

The referred [2] patch is actually not exactly apllicable to the version
of class.phpmailer.php shipped in phpgroupware 0.9.11, and the correct
one is attached.

I'll try and work on preparing a patched package later today.

Best regards,
-- 
Olivier BERGER <[EMAIL PROTECTED]>
http://www-public.it-sudparis.eu/~berger_o/ - OpenPGP-Id: 1024D/6B829EEC
Ingénieur Recherche - Dept INF
Institut TELECOM, SudParis (http://www.it-sudparis.eu/), Evry (France)

--- class.phpmailer.inc.php.orig	2008-11-02 11:03:57.000000000 +0100
+++ class.phpmailer.inc.php	2008-11-02 11:08:25.000000000 +0100
@@ -591,9 +591,9 @@
      */
     function sendmail_send($header, $body) {
         if ($this->Sender != "")
-            $sendmail = sprintf("%s -oi -f %s -t", $this->Sendmail, $this->Sender);
+	  $sendmail = sprintf("%s -oi -f %s -t", escapeshellcmd($this->Sendmail), escapeshellarg($this->Sender));
         else
-            $sendmail = sprintf("%s -oi -t", $this->Sendmail);
+	  $sendmail = sprintf("%s -oi -t", escapeshellcmd($this->Sendmail));
 
         if([EMAIL PROTECTED] = popen($sendmail, "w"))
         {

Reply via email to