game/_incl_data/vendor/PHPMailer/SECURITY.md

96 lines
7.4 KiB
Markdown
Raw Normal View History

# Security notices relating to PHPMailer
Please disclose any security issues or vulnerabilities found
through [Tidelift's coordinated disclosure system](https://tidelift.com/security) or to the maintainers privately.
PHPMailer 6.4.1 and earlier contain a vulnerability that can result in untrusted code being called (if such code is
injected into the host project's scope by other means). If the `$patternselect` parameter to `validateAddress()` is set
to `'php'` (the default, defined by `PHPMailer::$validator`), and the global namespace contains a function called `php`,
it will be called in preference to the built-in validator of the same name. Mitigated in PHPMailer 6.5.0 by denying the
use of simple strings as validator function names. Recorded
as [CVE-2021-3603](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3603). Reported
by [Vikrant Singh Chauhan](mailto:vi@hackberry.xyz) via [huntr.dev](https://www.huntr.dev/).
PHPMailer versions 6.4.1 and earlier contain a possible remote code execution vulnerability through the `$lang_path`
parameter of the `setLanguage()` method. If the `$lang_path` parameter is passed unfiltered from user input, it can be
set to [a UNC path](https://docs.microsoft.com/en-us/dotnet/standard/io/file-path-formats#unc-paths), and if an attacker
is also able to persuade the server to load a file from that UNC path, a script file under their control may be
executed. This vulnerability only applies to systems that resolve UNC paths, typically only Microsoft Windows.
PHPMailer 6.5.0 mitigates this by no longer treating translation files as PHP code, but by parsing their text content
directly. This approach avoids the possibility of executing unknown code while retaining backward compatibility. This
isn't ideal, so the current translation format is deprecated and will be replaced in the next major release. Recorded
as [CVE-2021-34551](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-34551). Reported
by [Jilin Diting Information Technology Co., Ltd](https://listensec.com) via Tidelift.
PHPMailer versions between 6.1.8 and 6.4.0 contain a regression of the earlier CVE-2018-19296 object injection
vulnerability as a result
of [a fix for Windows UNC paths in 6.1.8](https://github.com/PHPMailer/PHPMailer/commit/e2e07a355ee8ff36aba21d0242c5950c56e4c6f9).
Recorded as [CVE-2020-36326](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-36326). Reported by Fariskhi
Vidyan via Tidelift. 6.4.1 fixes this issue, and also enforces stricter checks for URL schemes in local path contexts.
PHPMailer versions 6.1.5 and earlier contain an output escaping bug that occurs in `Content-Type`
and `Content-Disposition` when filenames passed into `addAttachment` and other methods that accept attachment names
contain double quote characters, in contravention of RFC822 3.4.1. No specific vulnerability has been found relating to
this, but it could allow file attachments to bypass attachment filters that are based on matching filename extensions.
Recorded as [CVE-2020-13625](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-13625). Reported by Elar Lang of
Clarified Security.
PHPMailer versions prior to 6.0.6 and 5.2.27 are vulnerable to an object injection attack by passing `phar://` paths
into `addAttachment()` and other functions that may receive unfiltered local paths, possibly leading to RCE. Recorded
as [CVE-2018-19296](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-19296).
See [this article](https://knasmueller.net/5-answers-about-php-phar-exploitation) for more info on this type of
vulnerability. Mitigated by blocking the use of paths containing URL-protocol style prefixes such as `phar://`. Reported
by Sehun Oh of cyberone.kr.
PHPMailer versions prior to 5.2.24 (released July 26th 2017) have an XSS vulnerability in one of the code
examples, [CVE-2017-11503](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11503). The `code_generator.phps`
example did not filter user input prior to output. This file is distributed with a `.phps` extension, so it it not
normally executable unless it is explicitly renamed, and the file is not included when PHPMailer is loaded through
composer, so it is safe by default. There was also an undisclosed potential XSS vulnerability in the default exception
handler (unused by default). Patches for both issues kindly provided by Patrick Monnerat of the Fedora Project.
PHPMailer versions prior to 5.2.22 (released January 9th 2017) have a local file disclosure
vulnerability, [CVE-2017-5223](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5223). If content passed
into `msgHTML()` is sourced from unfiltered user input, relative paths can map to absolute local file paths and added as
attachments. Also note that `addAttachment` (just like `file_get_contents`, `passthru`, `unlink`, etc) should not be
passed user-sourced params either! Reported by Yongxiang Li of Asiasecurity.
PHPMailer versions prior to 5.2.20 (released December 28th 2016) are vulnerable
to [CVE-2016-10045](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10045) a remote code execution
vulnerability, responsibly reported
by [Dawid Golunski](https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html),
and patched by Paul Buonopane (@Zenexer).
PHPMailer versions prior to 5.2.18 (released December 2016) are vulnerable
to [CVE-2016-10033](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10033) a remote code execution
vulnerability, responsibly reported
by [Dawid Golunski](http://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html).
PHPMailer versions prior to 5.2.14 (released November 2015) are vulnerable
to [CVE-2015-8476](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8476) an SMTP CRLF injection bug permitting
arbitrary message sending.
PHPMailer versions prior to 5.2.10 (released May 2015) are vulnerable
to [CVE-2008-5619](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5619), a remote code execution
vulnerability in the bundled html2text library. This file was removed in 5.2.10, so if you are using a version prior to
that and make use of the html2text function, it's vitally important that you upgrade and remove this file.
PHPMailer versions prior to 2.0.7 and 2.2.1 are vulnerable
to [CVE-2012-0796](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0796), an email header injection attack.
Joomla 1.6.0 uses PHPMailer in an unsafe way, allowing it to reveal local file paths, reported
in [CVE-2011-3747](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3747).
PHPMailer didn't sanitise the `$lang_path` parameter in `SetLanguage`. This wasn't a problem in itself, but some apps (
PHPClassifieds, ATutor) also failed to sanitise user-provided parameters passed to it, permitting semi-arbitrary local
file inclusion, reported
in [CVE-2010-4914](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4914), [CVE-2007-2021](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-2021)
and [CVE-2006-5734](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-5734).
PHPMailer 1.7.2 and earlier contained a possible DDoS vulnerability reported
in [CVE-2005-1807](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1807).
PHPMailer 1.7 and earlier (June 2003) have a possible vulnerability in the `SendmailSend` method where shell commands
may not be sanitised. Reported in [CVE-2007-3215](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-3215).