[TYPO3-dev] TYPO3 Security Bulletin 20070719-1: Remote shell command execution in extensions embedding PHPMailer

Johnny Peck johnny at slipcasemedia.com
Fri Jul 20 12:59:43 CEST 2007 

Lars,

I haven't searched for similar posts but have certainly seen the latest 
stream of news on TYPO3.org and I just wanted to say thank you.  You are 
some kind of machine because it seems almost daily you are posting new 
issues on the .org site.  Please keep it up!!

Much appreciation,

Johnny


Lars Houmark wrote:
> Dear users of TYPO3,
> 
> Multiple TYPO3 extensions is affected by the third party tool PHPMailer, 
> which is vulnerable to a remote shell command execution.
> 
> ==== Component Type ====
> Third party tool. This tool is not part of the TYPO3 default installation.
> 
> ==== Affected extensions ====
> agprjmgm (version 0.0.1)
> bb_phpmailer (version 1.73.1 and all versions below)
> classifiedads (version 0.1.0 and all versions below)
> ext_tbl (version 0.0.102 and all versions below)
> iwi_phpmail (version 1.0.0 and all versions below)
> job_bank_resume_mgr (version 0.1.0)
> mk_mailorderplan (version 0.3.2)
> pil_mailform (version 3.0.3 and all versions below)
> 
> ==== Vulnerability Type ====
> Remote Shell Command Execution
> 
> ==== Severity ====
> HIGH
> 
> ==== Problem Description ====
> The security issue was found within the popular third party tool 
> PHPMailer, which is embedded in several TYPO3 extensions, but not part 
> of the TYPO3 default system.
> 
> PHPMailer is failing to sanitize potential input, makes it possible to 
> execute arbitrary commands.
> 
> ==== Solution ====
> The TYPO3 Security Team has contacted the authors of all affected 
> extensions, but only some of them have replied. Below is the status of 
> the different extensions.
> 
> == pil_mailform ==
> A fixed version is available in the extension manager and on the below 
> address:
> http://typo3.org/extensions/repository/view/pil_mailform/3.0.4/
> 
> == mk_mailorderplan ==
> A fixed version is available in the extension manager and on the below 
> address:
> http://typo3.org/extensions/repository/view/mk_mailorderplan/0.3.4/
> 
> == job_bank_resume_mgr ==
> A fixed version is available in the extension manager and on the below 
> address:
> http://typo3.org/extensions/repository/view/job_bank_resume_mgr/0.1.1/
> 
> == classifiedads ==
> A fixed version is available in the extension manager and on the below 
> address:
> http://typo3.org/extensions/repository/view/classifiedads/0.1.1/
> 
> == agprjmgm ==
> The extension author has not replied to our communication and a manual 
> patch is needed. See instructions on how to manually patch the extension 
> below.
> 
> == bb_phpmailer ==
> The extension author has replied to our communication, but is unable to 
> release a fixed version. See instructions on how to manually patch the 
> extension below.
> 
> == ext_tbl ==
> The extension author has replied to our communication, but is unable to 
> release a fixed version. See instructions on how to manually patch the 
> extension below.
> 
> == iwi_phpmail ==
> The extension author has replied to our communication, but is unable to 
> release a fixed version. See instructions on how to manually patch the 
> extension below.
> 
> == Manual patching ==
> Locate the file class.phpmailer.php in either the root extension folder, 
> the folder pi1, or the folder phpmailer.
> 
> Locate line 393 of class.phpmailer.php which should look like this:
> 
> $sendmail = sprintf("%s -oi -f %s -t", $this->Sendmail, $this->Sender);
> 
> Replace to entire line with the below:
> 
> $sendmail = sprintf("%s -oi -f %s -t", escapeshellcmd($this->Sendmail), 
> escapeshellarg($this->Sender));
> 
> Locate line 395 of class.phpmailer.php which should look like this:
> 
> $sendmail = sprintf("%s -oi -t", $this->Sendmail);
> 
> Replace the entire line with the below:
> 
> $sendmail = sprintf("%s -oi -t", escapeshellcmd($this->Sendmail));
> 
> If you have no knowledge on patching the file manually, you should 
> either consult a professional or uninstall the extension using the 
> extension manager.
> 
> ==== General advice: ====
> Follow the recommendations that are given in the TYPO3 Security Cookbook 
> [1].
> Keep notice of the TYPO3 security bulletin page [2].
> 
> ==== Credits: ====
> Credits go to Thor Larholm who discovered the issue in PHPMailer, along 
> with the extension authors who fixed their extensions, and the security 
> team members Henning Pingel, Ekkehard Gümbel, Lars Houmark and others, 
> for their efforts into fixing the affected TYPO3 extensions.
> 
> [1] 
> http://typo3.org/fileadmin/security-team/typo3_security_cookbook_v-0.5.pdf
> [2] http://typo3.org/teams/security/security-bulletins/
> 
> Regards,
> 
> Lars Houmark
> lars at typo3.org
> 
> 
>

More information about the TYPO3-dev mailing list