[Secure-testing-team] Bug#504283: CVE-2007-3215: phpmailer issue (embedded code-copy)
Steffen Joeris
steffen.joeris at skolelinux.de
Sun Nov 2 12:28:15 UTC 2008
Package: phpgroupware
Severity: grave
Tags: security, patch
Justification: user security hole
Hi Peter,
the following CVE (Common Vulnerabilities & Exposures) id was
published for egroupware-core.
CVE-2007-3215[0]:
| PHPMailer 1.7, when configured to use sendmail, allows remote
| attackers to execute arbitrary shell commands via shell metacharacters
| in the SendmailSend function in class.phpmailer.php.
You'll find a patch for the issue here[1]. However, it would be nice,
if you could depend against the libphp-phpmailer package, instead
of shipping a copy of the code.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
Cheers
Steffen
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3215
http://security-tracker.debian.net/tracker/CVE-2007-3215
[1] http://klecker.debian.org/~white/libphp-phpmailer/class.phpmailer.php.patch
More information about the Secure-testing-team
mailing list