by David Snopek on December 26, 2016 - 5:45pm

You may have noticed that CVE-2016-10033 came out yesterday, which discloses an Remote Code Execution (RCE) vulnerability in the PHPMailer library which is used by popular contrib modules like SMTP or PHPMailer.

This is a highly critical vulnerability because Remote Code Execution means an attacker can run arbitrary code on your server!

The Drupal Security team just made a PSA today: DRUPAL-PSA-2016-004

The real, full fix is to update the PHPMailer library to version 5.2.19 or later, or if you use the SMTP module version 7.x-1.5 or lower, to update to SMTP 7.x-1.6 (because SMTP 7.x-1.x embeds the library in the module).

However, if you're using Drupal 6, you probably have an old version of PHPMailer (5.1 or lower), and newer versions may not be compatible with the code on your site (either custom or contrib). Attempting an update in the middle of the holidays when not everyone is available to test or deal with follow-up issues might not be the best idea.

So, what we're recommending (and what we've already done for our customers) is removing the vulnerable feature from the PHPMailer library.

The vulnerability is in PHPMailer support for sending mail via the 'sendmail' command-line application. However, odds are you using PHPMailer exclusively for sending via SMTP (like the SMTP and PHPMailer modules do). So, you can just delete the code for that feature!

Here's how... Open the class.phpmailer.php file, and delete:

  1. The whole SendmailSend() function
  2. The whole MailSend() function
  3. The 'case' statement where those functions are called

Here's a patch that applies to PHPMailer 5.1 as an example.

After the holidays will be a great time to evaluate if PHPMailer 5.2.19 will work on your site! Although, if your site is now just in maintenance mode, this fix maybe sufficient since it's unlikely that you'll be messing with the PHPMailer library any further.

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Want to read more articles like this?


Subscribe to the blog and recieve e-mail updates when new articles are published!


Hey guys. Here is another 3 critical security vulnerability on PHP

Yeah, it's been a bad week for PHP security. :-/ We don't really have anything to add to that issue except to say that if you maintain your own servers (which, for most organizations, is probably an inefficient use of resources) that you should stay on top of upstream security releases!