TYPO3-20070719-1: Remote shell command execution in extensions embedding PHPMailer

July 19, 2007

Category: TYPO3 Extension
Keywords: TYPO3, security, phpmailer, agprjmgm, bb_phpmailer, classifiedads, ext_tbl, iwi_phpmail, job_bank_resume_mgr, mk_mailorderplan, pil_mailform

Multiple TYPO3 extensions is affected by the third party tool PHPMailer, which is vulnerable to a remote shell command execution.

Component Type: Third party tool. This tool is not part of the TYPO3 default installation.

Affected extensions:
agprjmgm (version 0.0.1)
bb_phpmailer (version 1.73.1 and all versions below)
classifiedads (version 0.1.0 and all versions below)
ext_tbl (version 0.0.102 and all versions below)
iwi_phpmail (version 1.0.0 and all versions below)
job_bank_resume_mgr (version 0.1.0)
mk_mailorderplan (version 0.3.2)
pil_mailform (version 3.0.3 and all versions below)

Vulnerability Type: Remote Shell Command Execution

Severity: HIGH

Problem Description:
The security issue was found within the popular third party tool PHPMailer, which is embedded in several TYPO3 extensions, but not part of the TYPO3 default system.

PHPMailer is failing to sanitize potential input, makes it possible to execute arbitrary commands.

Solution:
The TYPO3 Security Team has contacted the authors of all affected extensions, but only some of them have replied. Below is the status of the different extensions.

pil_mailform
A fixed version is available in the extension manager and on the below address:
http://typo3.org/extensions/repository/view/pil_mailform/3.0.4/

mk_mailorderplan
A fixed version is available in the extension manager and on the below address:
http://typo3.org/extensions/repository/view/mk_mailorderplan/0.3.4/

job_bank_resume_mgr
A fixed version is available in the extension manager and on the below address:
http://typo3.org/extensions/repository/view/job_bank_resume_mgr/0.1.1/

classifiedads
A fixed version is available in the extension manager and on the below address:
http://typo3.org/extensions/repository/view/classifiedads/0.1.1/

agprjmgm
The extension author has not replied to our communication and a manual patch is needed. See instructions on how to manually patch the extension below.

bb_phpmailer
The extension author has replied to our communication, but is unable to release a fixed version. See instructions on how to manually patch the extension below.

ext_tbl
The extension author has replied to our communication, but is unable to release a fixed version. See instructions on how to manually patch the extension below.

iwi_phpmail
The extension author has replied to our communication, but is unable to release a fixed version. See instructions on how to manually patch the extension below.

Manual patching
Locate the file class.phpmailer.php in either the root extension folder, the folder pi1, or the folder phpmailer.

Locate line 393 of class.phpmailer.php which should look like this:

$sendmail = sprintf("%s -oi -f %s -t", $this->Sendmail, $this->Sender);

Replace to entire line with the below:

$sendmail = sprintf("%s -oi -f %s -t", escapeshellcmd($this->Sendmail), escapeshellarg($this->Sender));

Locate line 395 of class.phpmailer.php which should look like this:

$sendmail = sprintf("%s -oi -t", $this->Sendmail);

Replace the entire line with the below:

$sendmail = sprintf("%s -oi -t", escapeshellcmd($this->Sendmail));

If you have no knowledge on patching the file manually, you should either consult a professional or uninstall the extension using the extension manager.

General advice: Follow the recommendations that are given in the TYPO3 Security Cookbook.
Keep notice of the TYPO3 security bulletin page at http://typo3.org/teams/security/security-bulletins/.

Credits: Credits go to Marc Bastian Heinrichs who informed the security team, Thor Larholm who discovered the issue in PHPMailer, along with the extension authors who fixed their extensions, and the security team members Henning Pingel, Ekkehard Gümbel, Lars Houmark and others, for their efforts into fixing the affected TYPO3 extensions.