[TYPO3] TYPO3 Security Bulletin 20070719-1: Remote shell command execution in extensions embedding PHPMailer

[Lars Houmark]

Dear users of TYPO3,

Multiple TYPO3 extensions is affected by the third party tool  
PHPMailer, which is vulnerable to a remote shell command execution.

==== Component Type ====
Third party tool. This tool is not part of the TYPO3 default  
installation.

==== Affected extensions ====
agprjmgm (version 0.0.1)
bb_phpmailer (version 1.73.1 and all versions below)
classifiedads (version 0.1.0 and all versions below)
ext_tbl (version 0.0.102 and all versions below)
iwi_phpmail (version 1.0.0 and all versions below)
job_bank_resume_mgr (version 0.1.0)
mk_mailorderplan (version 0.3.2)
pil_mailform (version 3.0.3 and all versions below)

==== Vulnerability Type ====
Remote Shell Command Execution

==== Severity ====
HIGH

==== Problem Description ====
The security issue was found within the popular third party tool  
PHPMailer, which is embedded in several TYPO3 extensions, but not  
part of the TYPO3 default system.

PHPMailer is failing to sanitize potential input, makes it possible  
to execute arbitrary commands.

==== Solution ====
The TYPO3 Security Team has contacted the authors of all affected  
extensions, but only some of them have replied. Below is the status  
of the different extensions.

== pil_mailform ==
A fixed version is available in the extension manager and on the  
below address:
http://typo3.org/extensions/repository/view/pil_mailform/3.0.4/

== mk_mailorderplan ==
A fixed version is available in the extension manager and on the  
below address:
http://typo3.org/extensions/repository/view/mk_mailorderplan/0.3.4/

== job_bank_resume_mgr ==
A fixed version is available in the extension manager and on the  
below address:
http://typo3.org/extensions/repository/view/job_bank_resume_mgr/0.1.1/

== classifiedads ==
A fixed version is available in the extension manager and on the  
below address:
http://typo3.org/extensions/repository/view/classifiedads/0.1.1/

== agprjmgm ==
The extension author has not replied to our communication and a  
manual patch is needed. See instructions on how to manually patch the  
extension below.

== bb_phpmailer ==
The extension author has replied to our communication, but is unable  
to release a fixed version. See instructions on how to manually patch  
the extension below.

== ext_tbl ==
The extension author has replied to our communication, but is unable  
to release a fixed version. See instructions on how to manually patch  
the extension below.

== iwi_phpmail ==
The extension author has replied to our communication, but is unable  
to release a fixed version. See instructions on how to manually patch  
the extension below.

== Manual patching ==
Locate the file class.phpmailer.php in either the root extension  
folder, the folder pi1, or the folder phpmailer.

Locate line 393 of class.phpmailer.php which should look like this:

$sendmail = sprintf("%s -oi -f %s -t", $this->Sendmail, $this->Sender);

Replace to entire line with the below:

$sendmail = sprintf("%s -oi -f %s -t", escapeshellcmd($this- 
 >Sendmail), escapeshellarg($this->Sender));

Locate line 395 of class.phpmailer.php which should look like this:

$sendmail = sprintf("%s -oi -t", $this->Sendmail);

Replace the entire line with the below:

$sendmail = sprintf("%s -oi -t", escapeshellcmd($this->Sendmail));

If you have no knowledge on patching the file manually, you should  
either consult a professional or uninstall the extension using the  
extension manager.

==== General advice: ====
Follow the recommendations that are given in the TYPO3 Security  
Cookbook [1].
Keep notice of the TYPO3 security bulletin page [2].

==== Credits: ====
Credits go to Thor Larholm who discovered the issue in PHPMailer,  
along with the extension authors who fixed their extensions, and the  
security team members Henning Pingel, Ekkehard Gümbel, Lars Houmark  
and others, for their efforts into fixing the affected TYPO3 extensions.

[1] http://typo3.org/fileadmin/security-team/ 
typo3_security_cookbook_v-0.5.pdf
[2] http://typo3.org/teams/security/security-bulletins/

Regards,

Lars Houmark
lars at typo3.org