Hello, welcome to the Tuesday, December 27, 2016 edition of the Sands and Storm Center's Stormcast.

My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

Well, it was reasonably quiet over this long weekend, not a lot of emergency stuff to report about.

The one thing that sort of cropped up

that you should attend to quickly

if you are affected is a vulnerability

in a popular PHP module, PHP Mailer.

Now, this is nothing that comes with a default PHP installed,

but a lot of software does use PHP Mailer and installs it in order well to send email.

Now, PHP has its own build-in function called Mail that you can use to send email,

but it's rather limited in terms of how it interface with the system on Unix.

It's really just a wrapper around Send Mail,

so you can't connect to arbitrary mail servers and the like.

PHP Mailer removes a lot of these restrictions

and makes it easier to access a lot of these features.

So that's why people like to use PHP Mailer.

It also includes some advanced features like

creating of decim signatures and the like. Now in order to do all of this, PHP mailer has to call

operating system commands. And here we have a classic problem where we have to pass command line arguments to these commands

and they have to be escaped properly. The one parameter was not sent correctly, was the sender

parameter. Now this is not just the from address, but it's typically derived from the from address.

It's essentially what the mail software tells the recipient where the email came from.

...