Hello, welcome to the Thursday, December 29th, 2016 edition of the Sands and Storm Center's Stormcast.

My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

Well, by now it should be old news that a PHP mailer, this PHP class that allows you to send email is vulnerable.

But to add a little bit to this,

we actually have a second vulnerability to talk about. It's very similar, actually related to the

first vulnerability that was originally discovered around Christmas. This new vulnerability is

more or less just an incomplete fix of the first vulnerability.

So if you updated PHP Mailer a few days ago, I hope you kept good notes and can do so again

with this new update.

There are a couple of issues now because of the additional escaping that PHP Mailer does. There were some issues where people

did escape before they passed the arguments to PHP Mailer, then it got double escaped and

the like. So I don't think this problem is actually completely solved at this point. Your

best bed is if you are setting a from address, set it to a fixed

string. The from address should match the server. The email comes from anyway. It's bad practice

to set it to an address that's provided by the user because you're not necessarily authorized

to send email

on that user's domain's behalf. So if that user has things configured like SPF records or

D-Kim, there's a good chance that the email will end up in a spam filter if you do set the from

address. Set the reply to address. That way, if you do set the from address.

Set the reply to address.

That way if you reply to the email, it will go to that user.

But keep the from address to a fixed address that is associated with your web server.

...