thr3ads.net - Secure testing team - [Secure-testing-team] Bug#504283: CVE-2007-3215: phpmailer issue (embedded code-copy) [Nov 2008]

If this information is useful, please help other people find it:
Share via:

Steffen Joeris

2008-Nov-02 12:28 UTC

[Secure-testing-team] Bug#504283: CVE-2007-3215: phpmailer issue (embedded code-copy)

Package: phpgroupware
Severity: grave
Tags: security, patch
Justification: user security hole

Hi Peter,
the following CVE (Common Vulnerabilities & Exposures) id was
published for egroupware-core.

CVE-2007-3215[0]:
| PHPMailer 1.7, when configured to use sendmail, allows remote
| attackers to execute arbitrary shell commands via shell metacharacters
| in the SendmailSend function in class.phpmailer.php.

You''ll find a patch for the issue here[1]. However, it would be nice,
if you could depend against the libphp-phpmailer package, instead
of shipping a copy of the code.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

Cheers
Steffen

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3215
    http://security-tracker.debian.net/tracker/CVE-2007-3215
[1] http://klecker.debian.org/~white/libphp-phpmailer/class.phpmailer.php.patch

Secure testing team - Nov 2008 - Bug#504283: CVE-2007-3215: phpmailer issue (embedded code-copy)

[Secure-testing-team] Bug#504283: CVE-2007-3215: phpmailer issue (embedded code-copy)