There has recently surfaced a new exploit that utilizes PHPMailer, and allows for Remote Code Execution.
I don’t think Kirby uses PHPMailer?
But just as a heads up, if any of you use WordPress, Drupal, 1CRM, SugarCRM, Yii, Joomla!, keep an eye out for security patches.
@bastianallgeier could you verify if Kirby isn’t affected by exploit CVE-2016-10033?
Correct me if I’m wrong but as far as I can tell Kirby is not affected. According to this document a malicious email address looks like this: "Attacker \" -Param2 -Param3"@test.com. Kirby’s Email class uses v::email to validate the email addresses before the email is sent. The validation function in turn uses filter_var with FILTER_VALIDATE_EMAIL. If I try this:
filter_var('"Attacker \" -Param2 -Param3"@test.com', FILTER_VALIDATE_EMAIL);
The validation returns false so Kirby will reject malicious email addresses.
Thank you very much for letting us know!
Kirby does not ship with PHPMailer. Users can install PHPMailer themselves as a plugin or as part of a plugin, but this is indeed not related to Kirby directly.
I can confirm what @lukasbestle already said. We don’t have PHP Mailer as a dependency, so Kirby is not affected.
Perfect! Glad to hear that 