After installing Piwigo 11.5.0 I received the message below from my hosting company:
-----------------------------------------------------------------------------------------------------------
Hello,
As part of our commitment to providing you with a secure hosting environment, we performed an automated scan of your domain(s) johnclifford.me.uk hosted on nl1-ss16.a2hosting.com
It appears patches are available for application(s) installed in the following path(s):
Code injection vulnerability in PHPMailer
/home/johnclif/public_html/piwigo/include/phpmailer/class.phpmailer.php
If you are working with a development partner, please forward this email on to them as they will be able to take care of the update for you. Otherwise, we will automatically apply the above patches within seven days.
Click here to learn more about our perpetual security scans: https://www.a2hosting.com/kb/cpanel/adv … s/patchman
Best regards,
The A2 Hosting Support Team
-------------------------------------------------------------------------------------------
Copy here your environment details, found on your Piwigo page [Administration > Tools > Maintenance]
Operating system: Linux
PHP: 7.2.34 (Show info) [2021-05-17 16:54:21]
MySQL: 10.3.22-MariaDB-cll-lve [2021-05-17 22:54:21]
Graphics Library: ImageMagick 7.0.10-10
Piwigo URL: https://www.johnclifford.me.uk/piwigo/
Offline
Hi jclifford,
Does your hosting provider give you more details about the security issue with PHPMailer?
Piwigo 11.5.0 uses PHPMailer 5.2.21, which is quite old, but still compatible with old versions of PHP, as Piwigo is. For Piwigo 12 we will increase the minimum required PHP version and we will be able to install a much newer version of PHPMailer.
For now, we can update to PHPMailer 5.2.28 which includes 2 security fixes, but I don't know if that's the problem triggered by your hosting provider.
Offline
Hi,
Today I just got the same message from A2Hosting as jclifford. My Piwigo details are
Piwigo 11.5.0 Check for upgrade
Operating system: Linux
PHP: 7.4.16 (Show info) [2021-05-18 05:43:20]
MySQL: 5.5.5-10.3.23-MariaDB-cll-lve [2021-05-18 11:43:20]
Graphics Library: ImageMagick 7.0.10-10
No details from A2Hosting about which CVE they are referring to. I'll open a support ticket and try and get further details. I was using PHP 7.3 and upgraded it it to the latest available 7.4 this morning. 8.0 doesn't work
Offline
Thank you for this first feedback.
I know the latest version on branch 5.2 (ie 5.2.28) was released to avoid warning/error message with PHP 7.4, see [Github] PHPMailer commit db4d3d0c so maybe it's the problem.
Offline
I've opened a ticket with A2Hosting & will get back to you with any further details
Offline
Just got this back:
I would like to let you know that there should be no issues with the mentioned PHPMailer as Patchman should apply an automatic update for it in one week. In case you want the patch to be applied manually, instead of automatic update, it can be done in one click with the help of the following manual:<br />
<br />
https://www.a2hosting.com/kb/cpanel/adv … ount<br />
<br />
In case you have any questions unanswered, please let us know.<br />
Not sure if that is any help to you though. Hopefully it won't break Piwigo?
Offline
If they update PHPMailer to a version 6.x, it will break Piwigo, for sure. If they update to 5.2.28 there should be no problem (didn't full test for now)
Offline
I just patched PHPMailer it using 'Patchman' from the Control Panel and the site still works. Can you tell me how to find the details for PHPMailer so I can let you know which version
EDIT: A2Hosting pointed me to this CVE https://github.com/advisories/GHSA-4pc3-96mx-wwc8
Last edited by downtrip (2021-05-18 12:59:38)
Offline
That's weird. The link you posted is about CVE-2016-10045 but this security issue was fixed in PHPMailer 5.2.20 et Piwigo 11.5.0 is on PHPMailer 5.2.21.
Can you tell me how to find the details for PHPMailer so I can let you know which version
open file include/phpmailer/class.phpmailer.php and find line:
34 public $Version = '5.2.21';
I'm going to try PHPMailer 5.2.28
Offline
My test with PHPMailer 5.2.28 shows no problem (with PHP 7.4)
Offline
Piwigo could always choose to be compatible with CURRENT software, that is PHP 8 etc, in order to avoid security problems with legacy-ware…
plg wrote:
If they update PHPMailer to a version 6.x, it will break Piwigo, for sure. If they update to 5.2.28 there should be no problem (didn't full test for now)
Offline
Zentalquabula wrote:
Piwigo could always choose to be compatible with CURRENT software, that is PHP 8 etc, in order to avoid security problems with legacy-ware…
You don't realize how *impossible* it is I think :-)
Being compatible with PHP 8 is one thing. Forcing all Piwigo users to update their PHP to latest version 8 is an absolutely impossible mission. So if we don't care about our users, then it would be the way to go. But... we do care :-) We want Piwigo to be "installable", so we have to make compromises.
The current compromise, being compatible with PHP 5.3, is becoming really problematic. I agree. That's why we have implemented a "check for required PHP version before upgrade" in Piwigo 11. This way we will be able to easily increase the required version from PHP 5.3 to... 7.0 or maybe 7.2 in Piwigo 12 (certainly not PHP 8, way too soon for that).
Offline
Updating to PHPMailer 5.2.28 seems the way to go, but how do I do that?
Offline
Just wait until it gets updated with a (the next?) Piwigo update.
Offline