WordPress.org

Make WordPress Core

Opened 3 years ago

Closed 2 months ago

Last modified 2 months ago

#40472 closed defect (bug) (fixed)

Update PHPMailer to 5.2.27

Reported by: MattyRob Owned by: SergeyBiryukov
Milestone: 5.3 Priority: normal
Severity: critical Version:
Component: External Libraries Keywords: has-patch dev-feedback
Focuses: Cc:
PR Number:

Description

There is a minor maintenance release for PHPMailer that we should consider patching to.
https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.23

Attachments (8)

40472.diff (6.7 KB) - added by MattyRob 3 years ago.
40472v2.diff (10.2 KB) - added by MattyRob 2 years ago.
40472v3.diff (74.2 KB) - added by MattyRob 2 years ago.
40472v4.diff (338.3 KB) - added by MattyRob 2 years ago.
40472v5.diff (338.1 KB) - added by MattyRob 23 months ago.
40472v6.diff (338.9 KB) - added by MattyRob 12 months ago.
Patch also fixes indents to tabs.
45838-phpmailer-5-2-27-upgrade.patch (6.6 KB) - added by ayeshrajans 10 months ago.
Hello everyone, This is rather clean patch of PHPMailer v5.2.22...v5.2.27.
40472.7.diff (16.5 KB) - added by SergeyBiryukov 2 months ago.

Download all attachments as: .zip

Change History (58)

@MattyRob
3 years ago

#1 @MattyRob
3 years ago

  • Keywords has-patch needs-testing added
  • Severity changed from normal to minor

#2 @lukecavanagh
3 years ago

40472.diff Patch applies cleanly.

#3 @MattyRob
3 years ago

  • Keywords needs-testing removed

I've tested emails and everything appears functional with the patch and PHP Unit Tests all pass in the mail test suite.

#4 @Presskopp
2 years ago

FYI: 5.2.24 is current (fixing also a security issue, that doesn't affect WordPress, as far as i can tell)

#5 @MattyRob
2 years ago

  • Keywords needs-testing added
  • Summary changed from Update PHPMailer to 5.2.23 to Update PHPMailer to 5.2.24

@MattyRob
2 years ago

#6 @Presskopp
2 years ago

  • Summary changed from Update PHPMailer to 5.2.24 to Update PHPMailer to 5.2.25

Version 5.2.25 (August 28th 2017)

Make obtaining SMTP transaction ID more reliable

Add Bosnian translation

This is the last official release in the legacy PHPMailer 5.2 series; there may be future security patches (which will be found in the 5.2-stable branch), but no further non-security PRs or issues will be accepted.

Migrate to PHPMailer 6.0.

@MattyRob
2 years ago

#7 @netweb
2 years ago

Related: #41750 Update PHPMailer to 6.0

#8 @peopleinside
2 years ago

  • Severity changed from minor to normal

Hi,
cirrently I can see mail come out from Wordpress from PHP Mailer 5.2.22 that has security vulnerability.

I AM asking when this will be fixed with update in Wordpress.
Thank you.

I AM using plugin
SMTP Mailer and opened an issue but the plug in athir says that the plugin use Wordpress PHP Mailer so Wordpress PHP Mailer seems to be vulnerable, 5.2.22
https://wordpress.org/support/topic/php-mailer-vulnerability/#post-9563243

On PHP Mailer 5.2.24
SECURITY Fix XSS vulnerability in one of the code examples, CVE-2017-11503. The code_generator.phps example did not filter user input prior to output. This file is distributed with a .phps extension, so it it not normally executable unless it is explicitly renamed, so it is safe by default. There was also an undisclosed potential XSS vulnerability in the default exception handler (unused by default). Patches for both issues kindly provided by Patrick Monnerat of the Fedora Project.

#9 follow-up: @bgermann
2 years ago

CVE-2017-11503 is not an issue for WordPress, because the example is not included. BUT the potential XSS vulnerability may be an issue. The fix can be seen at https://github.com/PHPMailer/PHPMailer/commit/d46ba2d186.

It does not need much time to integrate the existing (!) patch, but it would take much time to ensure, WordPress is not affected by this. So why not integrate the patch? Please!

#10 in reply to: ↑ 9 @aaroncampbell
2 years ago

  • Severity changed from normal to minor

I took a look through our code and it doesn't look like we use the phpmailerException::errorMessage() helper function anywhere, which would mean the reported potential XSS doesn't affect WordPress core.

I'm of the general opinion that keeping our libraries up to date is good, it's just not security related in this case.

As a side note, if it was a valid security issue it should really be reported to https://hackerone.com/wordpress and not discussed publicly here on Trac.

@MattyRob
2 years ago

#12 @MattyRob
2 years ago

  • Severity changed from minor to major

@Presskopp

I believe it may pose a risk but should not cause issues in the default WordPress configuration, patch updated.

Last edited 2 years ago by MattyRob (previous) (diff)

#13 @rogueresearch
23 months ago

I'm using WordPress 4.9.1 (current) and started evaluating the Ninja Forms plugin (which can send emails). In the headers of the emails it generates, I see:

X-Mailer: PHPMailer 5.2.22 (https://github.com/PHPMailer/PHPMailer)

This concerned me because:

1) 5.2.22 is a year old (2017-01-09).
2) 5.2 branch is only getting security updates at this point.
3) 5.2.24 has security fixes (CVE-2017-11503).
3) 5.2.26 is current (2017-11-04) and contains another security fix.

Even if the security issue doesn't affect the WP core, might it not affect plugins?

@MattyRob : I tried to look at your patch, but it seems there was a space<->tab change, making it difficult to review.

What is required to move this along? I could help with testing...

@MattyRob
23 months ago

#14 @rogueresearch
23 months ago

40472v5.diff still has the space<->tab changes, but nevertheless the patch applies correctly. I'm now trying it on my test server...

#15 @bgermann
23 months ago

  • Summary changed from Update PHPMailer to 5.2.25 to Update PHPMailer to 5.2.26

#16 @MattyRob
23 months ago

  • Summary changed from Update PHPMailer to 5.2.26 to Update PHPMailer to 5.2.25

@rogueresearch

Try the updated patch - hopefully that'll work better for you.

Apologies, late post as I slept my computer too fast this morning. I see you are testing now.

Last edited 23 months ago by MattyRob (previous) (diff)

#17 @MattyRob
23 months ago

  • Summary changed from Update PHPMailer to 5.2.25 to Update PHPMailer to 5.2.26

#18 @rogueresearch
23 months ago

I've tested, and it seems to work just fine for me. I'm not doing anything very fancy, just using the Ninja Forms plugin, and it's successfully sending email and the "X-Mailer:" header indeed shows 5.2.26 now.

#19 @MattyRob
23 months ago

  • Keywords dev-feedback added; needs-testing removed

I've tested for a few weeks and am getting notifications about comments, from the Stop Spammers plugin and also from Subscribe2 for post notifications. Checked on 2 installs.

#20 @rogueresearch
22 months ago

Did this get into WP 4.9.2?

#21 @bgermann
22 months ago

No, it did not.

#22 follow-up: @rogueresearch
22 months ago

So we have 1) a patch 2) testing completed on several installs by several people

What more is needed to get this in WordPress?!

#23 in reply to: ↑ 22 @slaFFik
22 months ago

Replying to rogueresearch:

So we have 1) a patch 2) testing completed on several installs by several people

What more is needed to get this in WordPress?!

#courage :)

---

@SergeyBiryukov Sorry for bringing you here, but can you please take a look?

#24 @rogueresearch
17 months ago

Is there any paid support to get this fixed?

#25 @here
12 months ago

New version available 5.2.27 including a security vulnerability patch. Note also that PHPMailer v5.2.x reaches end of life at end of 2018 and will no longer receive security updates.

https://github.com/PHPMailer/PHPMailer/blob/master/SECURITY.md

#26 @bgermann
12 months ago

  • Severity changed from major to critical
  • Summary changed from Update PHPMailer to 5.2.26 to Update PHPMailer to 5.2.27

@MattyRob
12 months ago

Patch also fixes indents to tabs.

#27 @rogueresearch
12 months ago

@MattyRob thank for updating the patch. I've installed it on my test server and tried it with the NinjaForms plugin. It seems to work fine. And the email header reflects the new version:

X-Mailer: PHPMailer 5.2.27 (https://github.com/PHPMailer/PHPMailer)

#28 @bgermann
12 months ago

Every wp_mail call with the $attachments parameter set is vulnerable to CVE-2018-19296. WP Core does not call wp_mail with $attachments. But plugins that do and have no mitigating check in place are vulnerable.

#29 @ocean90
10 months ago

#45838 was marked as a duplicate.

@ayeshrajans
10 months ago

Hello everyone, This is rather clean patch of PHPMailer v5.2.22...v5.2.27.

#30 @slaFFik
10 months ago

I would love to see this coming in the next WordPress release.

#31 @rogueresearch
10 months ago

This ticket has been an enlightening experience:

  • there have been patches
  • they have been tested
  • it's a security issue
  • I've offered to pay

And yet nothing happens. I understand now why WordPress has a reputation for horrible security!

#32 @bgermann
10 months ago

  • Type changed from enhancement to defect (bug)
  • Version 4.8 deleted

#33 @bgermann
8 months ago

As WordPress 5.2 will move to PHP 5.6 as a minimum requirement, PHPMailer can be updated to 6.0.x.

#34 @slaFFik
8 months ago

@bgermann No, it can't. PHPMailer 6.x is a breaking change.

Also, unless announced on make.wordpress.org/core, WordPress 5.2 does not necessarily mean PHP 5.6+ at this point.

#35 @bgermann
8 months ago

I think, I read the announcement.

#37 @slaFFik
8 months ago

@ocean90, as a component maintainer could you please take a look and consider this task to be included in WP 5.2?
Its feature-freeze window is close enough, and I'm not sure that after that point lib updates are allowed.
Thank you.

#38 @rogueresearch
8 months ago

I notice this ticket isn't 'owned by' anyone. Surely assigning it to someone makes sense?

It's been 2 years now! This is not some big change, it's a minor patch to a stable branch of library code already tested by many many others out there. *and* a security issue.

How is it not important to any of the paid developers working on WordPress?

#39 @bgermann
8 months ago

@slaFFik How about https://wordpress.org/news/2019/03/wordpress-5-1-1-security-and-maintenance-release?

@rogueresearch Thanks for pointing that out again. Maybe the bug only gets attention if someone mentions it in an appropriate meeting on slack?

#40 @peopleinside
8 months ago

Sorry, how i can stop email about this ticket to disturb me? I tried and i tried but never found how

I see You do not receive notifications because you have blocked this ticket. Unblock but continue to receive disturbing emails.

#41 @peopleinside
8 months ago

I flagged this email as spam as i am unable to unsubscribe.

#42 @Secure-InformationTechnology
2 months ago

I am constantly getting spam sent to me via my own wordpress install. Spammers are currently exploiting this to contact the wordpress admin of the install by using the class-phpmailer.php (v5.2.22).

This ticket was mentioned in Slack in #core by hareesh-pillai. View the logs.


2 months ago

#44 @mikeschroder
2 months ago

This ticket was brought up in today's ticket scrub.

As of WordPress 5.2, PHP 5.6.20+ is required, so if that was the remaining limitation in upgrading, it shouldn't be a blocker anymore.

If there are open security concerns, those should be directed to https://hackerone.com/wordpress.

Outside of that, what changes would be required to upgrade to the newest version?

#45 follow-up: @Presskopp
2 months ago

Why not go for PHPMailer v6 (Requires PHP 5.5 or later), because v5 is deprecated?

#46 @bgermann
2 months ago

I brought this issue up in hackerone half a year ago but was ignored up to now.

#47 in reply to: ↑ 45 ; follow-up: @SergeyBiryukov
2 months ago

Replying to Presskopp:

Why not go for PHPMailer v6 (Requires PHP 5.5 or later), because v5 is deprecated?

Per https://github.com/PHPMailer/PHPMailer/blob/master/UPGRADING.md, PHPMailer 6.0 is a major update, breaking backward compatibility.

I'd suggest updating to the latest PHPMailer 5.x for now, and then creating a new ticket to explore what's needed for upgrading to PHPMailer 6.0.

#48 @SergeyBiryukov
2 months ago

  • Milestone changed from Awaiting Review to 5.3

40472.7.diff includes the changes to wp-includes/class-smtp.php.

#49 @SergeyBiryukov
2 months ago

  • Owner set to SergeyBiryukov
  • Resolution set to fixed
  • Status changed from new to closed

In 46097:

Mail: Update PHPMailer to 5.2.27.

The full list of changes is available here:
https://github.com/PHPMailer/PHPMailer/compare/v5.2.22...PHPMailer:v5.2.27

Props MattyRob, ayeshrajans, rogueresearch, bgermann, slaFFik, Presskopp, aaroncampbell.
Fixes #40472.

#50 in reply to: ↑ 47 @SergeyBiryukov
2 months ago

Replying to SergeyBiryukov:

I'd suggest updating to the latest PHPMailer 5.x for now, and then creating a new ticket to explore what's needed for upgrading to PHPMailer 6.0.

Follow-up: #41750.

Note: See TracTickets for help on using tickets.