"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "SECURITY.md" between
PHPMailer-6.4.1.tar.gz and PHPMailer-6.5.0.tar.gz

About: PHPMailer is a PHP email transport class that features multiple file attachments, CCs, BCCs, REPLY-TOs, HTML messages, redundant SMTP servers, and word wrap, among others.

SECURITY.md  (PHPMailer-6.4.1):SECURITY.md  (PHPMailer-6.5.0)
# Security notices relating to PHPMailer # Security notices relating to PHPMailer
Please disclose any security issues or vulnerabilities found through [Tidelift's coordinated disclosure system](https://tidelift.com/security) or to the maintai ners privately. Please disclose any security issues or vulnerabilities found through [Tidelift's coordinated disclosure system](https://tidelift.com/security) or to the maintai ners privately.
PHPMailer 6.4.1 and earlier contain a vulnerability that can result in untrusted
code being called (if such code is injected into the host project's scope by ot
her means). If the `$patternselect` parameter to `validateAddress()` is set to `
'php'` (the default, defined by `PHPMailer::$validator`), and the global namespa
ce contains a function called `php`, it will be called in preference to the buil
t-in validator of the same name. Mitigated in PHPMailer 6.5.0 by denying the use
of simple strings as validator function names. Recorded as [CVE-2021-3603](http
s://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3603). Reported by [Vikran
t Singh Chauhan](mailto:vi@hackberry.xyz) via [huntr.dev](https://www.huntr.dev/
).
PHPMailer versions 6.4.1 and earlier contain a possible remote code execution vu
lnerability through the `$lang_path` parameter of the `setLanguage()` method. If
the `$lang_path` parameter is passed unfiltered from user input, it can be set
to [a UNC path](https://docs.microsoft.com/en-us/dotnet/standard/io/file-path-fo
rmats#unc-paths), and if an attacker is also able to persuade the server to load
a file from that UNC path, a script file under their control may be executed. T
his vulnerability only applies to systems that resolve UNC paths, typically only
Microsoft Windows.
PHPMailer 6.5.0 mitigates this by no longer treating translation files as PHP co
de, but by parsing their text content directly. This approach avoids the possibi
lity of executing unknown code while retaining backward compatibility. This isn'
t ideal, so the current translation format is deprecated and will be replaced in
the next major release. Recorded as [CVE-2021-34551](https://web.nvd.nist.gov/v
iew/vuln/detail?vulnId=CVE-2021-34551). Reported by [Jilin Diting Information Te
chnology Co., Ltd](https://listensec.com) via Tidelift.
PHPMailer versions between 6.1.8 and 6.4.0 contain a regression of the earlier C VE-2018-19296 object injection vulnerability as a result of [a fix for Windows U NC paths in 6.1.8](https://github.com/PHPMailer/PHPMailer/commit/e2e07a355ee8ff3 6aba21d0242c5950c56e4c6f9). Recorded as [CVE-2020-36326](https://web.nvd.nist.go v/view/vuln/detail?vulnId=CVE-2020-36326). Reported by Fariskhi Vidyan via Tidel ift. 6.4.1 fixes this issue, and also enforces stricter checks for URL schemes i n local path contexts. PHPMailer versions between 6.1.8 and 6.4.0 contain a regression of the earlier C VE-2018-19296 object injection vulnerability as a result of [a fix for Windows U NC paths in 6.1.8](https://github.com/PHPMailer/PHPMailer/commit/e2e07a355ee8ff3 6aba21d0242c5950c56e4c6f9). Recorded as [CVE-2020-36326](https://web.nvd.nist.go v/view/vuln/detail?vulnId=CVE-2020-36326). Reported by Fariskhi Vidyan via Tidel ift. 6.4.1 fixes this issue, and also enforces stricter checks for URL schemes i n local path contexts.
PHPMailer versions 6.1.5 and earlier contain an output escaping bug that occurs in `Content-Type` and `Content-Disposition` when filenames passed into `addAttac hment` and other methods that accept attachment names contain double quote chara cters, in contravention of RFC822 3.4.1. No specific vulnerability has been foun d relating to this, but it could allow file attachments to bypass attachment fil ters that are based on matching filename extensions. Recorded as [CVE-2020-13625 ](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-13625). Reported by Elar Lang of Clarified Security. PHPMailer versions 6.1.5 and earlier contain an output escaping bug that occurs in `Content-Type` and `Content-Disposition` when filenames passed into `addAttac hment` and other methods that accept attachment names contain double quote chara cters, in contravention of RFC822 3.4.1. No specific vulnerability has been foun d relating to this, but it could allow file attachments to bypass attachment fil ters that are based on matching filename extensions. Recorded as [CVE-2020-13625 ](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-13625). Reported by Elar Lang of Clarified Security.
PHPMailer versions prior to 6.0.6 and 5.2.27 are vulnerable to an object injecti on attack by passing `phar://` paths into `addAttachment()` and other functions that may receive unfiltered local paths, possibly leading to RCE. Recorded as [C VE-2018-19296](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-19296). See [this article](https://knasmueller.net/5-answers-about-php-phar-exploitatio n) for more info on this type of vulnerability. Mitigated by blocking the use of paths containing URL-protocol style prefixes such as `phar://`. Reported by Seh un Oh of cyberone.kr. PHPMailer versions prior to 6.0.6 and 5.2.27 are vulnerable to an object injecti on attack by passing `phar://` paths into `addAttachment()` and other functions that may receive unfiltered local paths, possibly leading to RCE. Recorded as [C VE-2018-19296](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-19296). See [this article](https://knasmueller.net/5-answers-about-php-phar-exploitatio n) for more info on this type of vulnerability. Mitigated by blocking the use of paths containing URL-protocol style prefixes such as `phar://`. Reported by Seh un Oh of cyberone.kr.
PHPMailer versions prior to 5.2.24 (released July 26th 2017) have an XSS vulnera bility in one of the code examples, [CVE-2017-11503](https://web.nvd.nist.gov/vi ew/vuln/detail?vulnId=CVE-2017-11503). The `code_generator.phps` example did not filter user input prior to output. This file is distributed with a `.phps` exte nsion, so it it not normally executable unless it is explicitly renamed, and the file is not included when PHPMailer is loaded through composer, so it is safe b y default. There was also an undisclosed potential XSS vulnerability in the defa ult exception handler (unused by default). Patches for both issues kindly provid ed by Patrick Monnerat of the Fedora Project. PHPMailer versions prior to 5.2.24 (released July 26th 2017) have an XSS vulnera bility in one of the code examples, [CVE-2017-11503](https://web.nvd.nist.gov/vi ew/vuln/detail?vulnId=CVE-2017-11503). The `code_generator.phps` example did not filter user input prior to output. This file is distributed with a `.phps` exte nsion, so it it not normally executable unless it is explicitly renamed, and the file is not included when PHPMailer is loaded through composer, so it is safe b y default. There was also an undisclosed potential XSS vulnerability in the defa ult exception handler (unused by default). Patches for both issues kindly provid ed by Patrick Monnerat of the Fedora Project.
PHPMailer versions prior to 5.2.22 (released January 9th 2017) have a local file disclosure vulnerability, [CVE-2017-5223](https://web.nvd.nist.gov/view/vuln/de tail?vulnId=CVE-2017-5223). If content passed into `msgHTML()` is sourced from u nfiltered user input, relative paths can map to absolute local file paths and ad ded as attachments. Also note that `addAttachment` (just like `file_get_contents `, `passthru`, `unlink`, etc) should not be passed user-sourced params either! R eported by Yongxiang Li of Asiasecurity. PHPMailer versions prior to 5.2.22 (released January 9th 2017) have a local file disclosure vulnerability, [CVE-2017-5223](https://web.nvd.nist.gov/view/vuln/de tail?vulnId=CVE-2017-5223). If content passed into `msgHTML()` is sourced from u nfiltered user input, relative paths can map to absolute local file paths and ad ded as attachments. Also note that `addAttachment` (just like `file_get_contents `, `passthru`, `unlink`, etc) should not be passed user-sourced params either! R eported by Yongxiang Li of Asiasecurity.
 End of changes. 1 change blocks. 
0 lines changed or deleted 27 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)