phpmailer

phpmailer

by max ragazzi -
Number of replies: 3

I've read there is a vulnerabilty in phpmailer version 5.2.18.

Now i've installaed Moodle 2.8.5, but i can't know

- if this versione use phpmailer

- if yes what version is installed

- if necessary how to upgrade

Many thanks for your efforts

Massimiliano

Average of ratings: -
In reply to max ragazzi

Re: phpmailer

by Matteo Scaramuccia -
Picture of Core developers Picture of Peer reviewers Picture of Plugin developers

Hi Max,
first your Moodle instance should be updated using one among those supported at least for security issues: https://moodle.org/mod/forum/discuss.php?d=345417.

Regarding your question about PHPMailer, please read more at https://moodle.org/mod/forum/discuss.php?d=345914#p1395033 and MDL-57573.

HTH,
Matteo

Average of ratings: -
In reply to Matteo Scaramuccia

Re: phpmailer

by max ragazzi -

Thank you Matteo,

for your link  https://moodle.org/mod/forum/discuss.php?d=345914#p1395033.

In this item is expressed a workaround that say

Define $CFG->noreplyaddress and $CFG->supportemail in config.php

But how have to set this parameters to avoid the vulnerability?

Thanks a lot

Massimiliano

Average of ratings: -
In reply to max ragazzi

Re: phpmailer

by Matteo Scaramuccia -
Picture of Core developers Picture of Peer reviewers Picture of Plugin developers

Hi Max,
the description tells one more important detail: This issue only affect sites that leave $CFG->smtphosts empty.
How did you configure your instance? Look at its value in the proper section or search it using the search box in the Administration block.

In case you'll have it empty, just drop two new lines in your config.php file e.g.:

$CFG->noreplyaddress = 'noreply@<yourdomain>';
$CFG->supportemail = 'support@<yourdomain>';

HTH,
Matteo

Average of ratings: -