Hi - I got the message below from my hosting company - suggest that next release of OJS includes the patched version of PHP Mailer…
~steve
Dear Customer,
This is an email to let you know that we have detected a software vulnerability within PHP application(s) installed in your web hosting account. To prevent system abuse resulting from exploitation of this, our system has automatically patched your account for you. Here is a summary of what was modified:
Code injection vulnerability in PHPMailer
/home/academi1/public_html/lib/pkp/lib/vendor/phpmailer/phpmailer/src/PHPMailer.php
Vulnerabilities such as these can allow third parties to access your web hosting account and abuse it by, for example, uploading malware for nefarious purposes. Our patches should be considered as a temporary solution to enhance your account security, and we strongly recommend you check the entire web hosting account for other files that appear out of place, which our detection system might have missed.
It may be that the software running your web site is not up to date with the latest secure release. We do recommend that you double check that your applications, as well as any plugins, extensions, addons or themes you may have installed, are up-to-date with the latest release.
To help you understand more about vulnerabilities, how you can resolve these and what we’re doing to help protect you, we’ve produced a detailed explanation in our knowledgebase.
For more information on our vulnerability notification system, including information about how to access Patchman to see all the detected vulnerabilities in your site software, please visit our Patchman knowledgebase articles.
If you have any questions arising from this message, please contact our technical support department by raising a ticket from your my.kualo.com account.
I can confirm that neither is exploitable via OJS.
We use Dependabot, which is integrated with Github, to report vulnerabilities in the third-party dependencies we use. When I get a notification of one of these, I assess its applicability to OJS; if there is an attack surface, I make sure the dependency is updated (and schedule a release). So you should be safe to continue hosting with 3.3.0-8 as is, until such time as we flag a security issue on the OJS download page or send a notification out via the PKP security announcement mailing list.
That said, the patch is probably safe to apply.
@kerimsarigul, just a note that PHPMaileris the SMTP implementation that’s included in OJS 3.3.0-8. I think you’re probably referring to PHP’s mail() function, which is known to be unsafe in some circumstances.
Regards,
Alec Smecher
Public Knowledge Project Team
Yes…
PhpMailer’s security state is not related to OJS. It is seen as insecure for various reasons. For example, many big server companies in Turkey do not allow PHPMailer.
Not a problem – they are very similar-sounding things
The issue @SteveRoe is talking about is related to PHPMailer, not PHP’s mail() function. But you’re correct, it’s a good idea to configure OJS to use SMTP to avoid the mail() function, which is not particularly safe.
Regards,
Alec Smecher
Public Knowledge Project Team
