command injection of phpmailer in XOOPS

Date 2007-06-13 06:03:31 | Category: XOOPS

in englishin japanese

refer
http://larholm.com/2007/06/11/phpmailer-0day-remote-execution/

Though this is a fatal (sudden-death) vulnerability, it is not the default setting.

If you dare to change the value of mailmethod from "php mail()" to "sendmail", change it to the other values.

I've just released Protector-3.04 with this check.

If you leave such a setting, protector alerts "phpmailer security hole! Change the preferences of mail from "sendmail" to another, or upgrade the core right now!" to you.





You can read more news at PEAK XOOPS.
http://xoops.peak.ne.jp

The URL for this story is:
http://xoops.peak.ne.jp/md/news/index.php?page=article&storyid=431