Upgrade Your Drupal Skills

We trained 1,000+ Drupal Developers over the last decade.

See Advanced Courses NAH, I know Enough

Drupal 6 workaround for the highly critical vulnerability in PHPMailer

Parent Feed: 
myDropWizard.com

by David Snopek on December 26, 2016 - 5:45pm

You may have noticed that CVE-2016-10033 came out yesterday, which discloses an Remote Code Execution (RCE) vulnerability in the PHPMailer library which is used by popular contrib modules like SMTP or PHPMailer.

This is a highly critical vulnerability because Remote Code Execution means an attacker can run arbitrary code on your server!

The Drupal Security team just made a PSA today: DRUPAL-PSA-2016-004

The real, full fix is to update the PHPMailer library to version 5.2.19 or later, or if you use the SMTP module version 7.x-1.5 or lower, to update to SMTP 7.x-1.6 (because SMTP 7.x-1.x embeds the library in the module).

However, if you're using Drupal 6, you probably have an old version of PHPMailer (5.1 or lower), and newer versions may not be compatible with the code on your site (either custom or contrib). Attempting an update in the middle of the holidays when not everyone is available to test or deal with follow-up issues might not be the best idea.

So, what we're recommending (and what we've already done for our customers) is removing the vulnerable feature from the PHPMailer library.

The vulnerability is in PHPMailer support for sending mail via the 'sendmail' command-line application. However, odds are you using PHPMailer exclusively for sending via SMTP (like the SMTP and PHPMailer modules do). So, you can just delete the code for that feature!

Here's how... Open the class.phpmailer.php file, and delete:

  1. The whole SendmailSend() function
  2. The whole MailSend() function
  3. The 'case' statement where those functions are called

Here's a patch that applies to PHPMailer 5.1 as an example.

After the holidays will be a great time to evaluate if PHPMailer 5.2.19 will work on your site! Although, if your site is now just in maintenance mode, this fix maybe sufficient since it's unlikely that you'll be messing with the PHPMailer library any further.

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, pleaseĀ check out our D6LTS plans.

Author: 
David Snopek
Original Post: 
https://www.mydropwizard.com/blog/drupal-6-workaround-highly-critical-vulnerability-phpmailer

About Drupal Sun

Drupal Sun is an Evolving Web project. It allows you to:

  • Do full-text search on all the articles in Drupal Planet (thanks to Apache Solr)
  • Facet based on tags, author, or feed
  • Flip through articles quickly (with j/k or arrow keys) to find what you're interested in
  • View the entire article text inline, or in the context of the site where it was created

See the blog post at Evolving Web

Evolving Web