5.2.26

2017-11-04 10:26:05 +01:00 · 2017-11-04 10:26:05 +01:00 · 70362997bd
parent b6316bb575
commit 70362997bd
6 changed files with 10 additions and 5 deletions
--- a/SECURITY.md
+++ b/SECURITY.md
@ -2,6 +2,8 @@

 Please disclose any vulnerabilities found responsibly - report any security problems found to the maintainers privately.

+PHPMailer 5.2.25 and earlier default to using `echo` for output, which has a potential for XSS if debug output is left on in production. This was already fixed in 6.0, change added to 5.2.26. Thanks to Bankde Eakasit for spotting it.
+
 PHPMailer versions prior to 5.2.24 (released July 26th 2017) have an XSS vulnerability in one of the code examples, [CVE-2017-11503](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11503). The `code_generator.phps` example did not filter user input prior to output. This file is distributed with a `.phps` extension, so it it not normally executable unless it is explicitly renamed, so it is safe by default. There was also an undisclosed potential XSS vulnerability in the default exception handler (unused by default). Patches for both issues kindly provided by Patrick Monnerat of the Fedora Project.

 PHPMailer versions prior to 5.2.22 (released January 9th 2017) have a local file disclosure vulnerability, [CVE-2017-5223](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5223). If content passed into `msgHTML()` is sourced from unfiltered user input, relative paths can map to absolute local file paths and added as attachments. Also note that `addAttachment` (just like `file_get_contents`, `passthru`, `unlink`, etc) should not be passed user-sourced params either! Reported by Yongxiang Li of Asiasecurity.
--- a/2
+++ b/2
@ -1 +1 @@
-5.2.25
+5.2.26
--- a/changelog.md
+++ b/changelog.md
@ -1,5 +1,8 @@
 # ChangeLog

+## Version 5.2.26 (November 4th 2017)
+* Minor security backport from 6.0 - set Debugoutput in constructor according to SAPI in use, avoiding potential XSS in default debug output.
+
 ## Version 5.2.25 (August 28th 2017)
 * Make obtaining SMTP transaction ID more reliable
 * Add Bosnian translation
--- a/class.phpmailer.php
+++ b/class.phpmailer.php
@ -31,7 +31,7 @@ class PHPMailer
     * The PHPMailer Version number.
     * @var string
     */
-    public $Version = '5.2.25';
+    public $Version = '5.2.26';

    /**
     * Email priority.
--- a/class.pop3.php
+++ b/class.pop3.php
@ -34,7 +34,7 @@ class POP3
     * @var string
     * @access public
     */
-    public $Version = '5.2.25';
+    public $Version = '5.2.26';

    /**
     * Default POP3 port number.
--- a/class.smtp.php
+++ b/class.smtp.php
@ -30,7 +30,7 @@ class SMTP
     * The PHPMailer SMTP version number.
     * @var string
     */
-    const VERSION = '5.2.25';
+    const VERSION = '5.2.26';

    /**
     * SMTP line break constant.
@ -81,7 +81,7 @@ class SMTP
     * @deprecated Use the `VERSION` constant instead
     * @see SMTP::VERSION
     */
-    public $Version = '5.2.25';
+    public $Version = '5.2.26';

    /**
     * SMTP server port number.
 @ -1 +1 @@
 .2.25
 .2.26