Possible security threat on OJS 3.3.0-13 - PHPMailer.php

Jaimin · December 14, 2022, 5:19am

Hi,

After my recent installation of OJS 3.3.0-13, I have been getting this security warning from one of my cybersecurity tools;

File Name: lib/pkp/lib/vendor/phpmailer/phpmailer/src/PHPMailer.php
Type: Code Injection
Description: CVE-2020-36326 - An external file could be unexpectedly executable if it was used as a path to an attachment file via PHP’s support for .phar files`. Exploitation requires that an attacker was able to provide an unfiltered path to a file to attach. CVE-2018-19296 - Was vulnerable to an object injection attack by passing phar:// paths into addAttachment() and other functions that could receive unfiltered local paths, possibly lead to RCE.

This information is explicitly on the basis of the code in this file and not generalized to all PHPMailer versions.

Could you please share if this is a real threat and if/if not how can it be patched.

Best Regards,
Jaimin

asmecher · December 14, 2022, 7:14am

Hi @Jaimin,

No, we do not allow unfiltered attachment paths, so it is not possible to exploit this issue in OJS.

In the future, if you think you might have found a security issue in our software, please contact us per the instructions in SECURITY.md; that’ll ensure that you don’t accidentally disclose an active security risk.

Regards,
Alec Smecher
Public Knowledge Project Team

asmecher · December 26, 2022, 4:00pm

This topic was automatically closed after 12 days. New replies are no longer allowed.