Security Question: When will phpmailer be updated in MOD 2.7.x?

phatphug · July 29, 2019, 9:50am

I’ve just reported this security issue by email.

I noticed today that PHPMailer has had some security updates to address CVE-2018-19296. I can see this information by looking at the github releases page of PHPMailer.

MODX, to my knowledge uses PHPMailer 5.2.26, however, since then:
5.2.27 and 6.0.6 was released in Nov 2018 to address CVE-2018-19296.
The entire 5.2 branch has been deprecated as of 31 Dec 2018.

In the meantime, can you advise if it’s possible to disable PHPMailer 5.2.26 which is bundled with MODX? Is it possible to have MODX use an alternative mail library instead of modMail / PHPMailer 5.2.x?

thanks

jnogueira · July 29, 2019, 3:41pm

Hi @phatphug, welcome to the Modx community!

Thanks for the information share. This is indeed very important.
Never tried to switch the mailer agent to other than the embedded phpmailer.

I will subscribe this topic to follow all other interactions closely.

jnogueira · July 29, 2019, 3:53pm

Checked modx revolution github and there is no Fault opened for this topic.
Created one:

Hopefully this will raise the visibility of the issue to the devs so we can get a quick fix.

opengeek · July 29, 2019, 4:03pm

I got the security email this morning, and as I replied to the OP, I am in the process of updating PHPMailer in the 2.x branch.

bobray · July 29, 2019, 10:26pm

Does using SMTP bypass PHPMailer and the security issue?

opengeek · July 29, 2019, 10:31pm

No. PHPMailer is the default implementation of modMail that comes with the MODX core and is used anytime you use the modMail API unless you provide a custom implementation.

phatphug · July 30, 2019, 8:39am

Thanks for picking this up so quickly. I’ll await your update.