Debian Security Advisory DSA 1315-1 (libphp-phpmailer) Network Vulnerability

Summary

The remote host is missing an update to libphp-phpmailer announced via advisory DSA 1315-1.

Solution

https://secure1.securityspace.com/smysecure/catid.html?in=DSA%201315-1

Insight

Thor Larholm discovered that libphp-phpmailer, an email transfer class for PHP, performs insufficient input validition if configured to use Sendmail. This allows the execution of arbitrary shell commands. The oldstable distribution (sarge) doesn't include libphp-phpmailer. For the stable distribution (etch) this problem has been fixed in version 1.73-2etch1. For the unstable distribution (sid) this problem has been fixed in version 1.73-4. We recommend that you upgrade your libphp-phpmailer package.

Severity

Classification

CVE CVE-2007-3215

CVSS	Base Score: 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P

Related Vulnerabilities

Debian Security Advisory DSA 1066-1 (phpbb2)
Debian Security Advisory DSA 1115-1 (gnupg2)
Debian Security Advisory DSA 1025-1 (dia)
Debian Security Advisory DSA 1152-1 (trac)
Debian Security Advisory DSA 1023-1 (kaffeine)

Take action and discover your vulnerabilities