Security issues with CB's PhP Mailer?

Hi there,

Considering CB uses its own PHPMailer library different from Joomla's, do you have anything to say about this announcement?

developer.joomla.org/security-centre/668-20161205-phpmailer-security-advisory.html

Thanks

Thanks, we are aware of the PHPMailer Security Advisory of Joomla (as a matter of fact, as a JSST member, I also analysed this third-party library vulnerability and its implications and contributed a few of the words to that advisory).

Community Builder and its add-ons are not affected by that vulnerability of this third-party library out of the box.

This is thanks to multiple level of defensive programming and filtering used throughout CB.

Usual disclaimers as follows:

1. Community Builder is highly configurable, and basically a web platform allowing site owners to program what they want. Thus depending on what sites have programmed, and how they programmed it, we cannot make a statement here.

2. If a site uses third-party CB plugins or Joomla extensions that don't use the CB API or Joomla API properly or use their own versions of PHPMailer, we cannot make any statement on them.

We will be issuing an official statement, and will anyway also update the library to its latest version with the next CB release.

Hi Beat,
Didnt quite get this (I have read through the issue by JSST), what are third party PHPmailer? Third party add-ons that replace the Jmailer? Or stuff like Acymailing that use their own mailing APIs? Or 3rd party extensions that use the regular JMailer for sending emails (I have got a LOT of them).
Thanks,
Tim

timstohr wrote: Hi Beat,
Didnt quite get this (I have read through the issue by JSST), what are third party PHPmailer? Third party add-ons that replace the Jmailer? Or stuff like Acymailing that use their own mailing APIs? Or 3rd party extensions that use the regular JMailer for sending emails (I have got a LOT of them).
Thanks,
Tim

I didn't write "third party PHPmailer", so no idea what you are referring to. PHPMailer is a library from a third-party, included in both Joomla and Community Builder.

Please read carefully again my reply and Joomla's security advisories at developer.joomla.org/security-centre.html .

Regarding the safety of JMail, please refer to Joomla's security advisory.

Regarding safety of third-party extensions, please refer to their respective developers.

Ok, here a bit more of summarizing the advisories of Joomla and of PHPMailer:

PHPMailer's vulnerability only concerns the sender (email's "From:") email address.

So it is an issue only if you have a user-provided email addresses that are used as sender addresses in emails that your server sends out, and not properly validated or filtered before.

In effect, that would mean that you are sending email on behalf of the user from your own webserver. That is anyway considered as bad practice and leads to very poor inbox deliverability, as you can't sign those emails, and if the user's email domain is well configured with DMARC, DKIM and SPF, your email would be rejected or going directly to the spam box of the user.

Putting them in reply-to email addresses, which is the right way to do this, is not vulnerable in PHPMailer.

So to make an as broad as possible statement regarding the PHPMailer vulnerability: Unless you are sending emails (e.g. on the user's behalf) using email addresses provided by users and not properly validated as the email's "From:" address, you should be on the safe side with that PHPMailer vulnerability.

But if you do this, then you should anyway stop doing this, and put your site's email address as sender in the email's "From:" field and the users's email into the email's "Reply-to:" field.

Hope that helps to understand the very narrow extent of the PHPMailer vulnerability in the real world.