Matt at 18:36, 29 December 2016

2016-12-29T18:36:04Z

Matt: Created page with "
Release Information
Version: 6.3.2
Release Type: Security
Release Date: 29..."

2016-12-29T18:35:47Z

Created page with "<div class="docs-alert-info" style="max-width:370px;"> <span class="title">Release Information</span> <br /> Version: 6.3.2<br /> Release Type: Security<br /> Release Date: 29..."

New page

<div class="docs-alert-info" style="max-width:370px;">
<span class="title">Release Information</span>
<br />
Version: 6.3.2<br />
Release Type: Security<br />
Release Date: 29th December 2016<br />
Distribution Types: Full Version, Incremental and via Automatic Updater
</div>

==Update/Download==

A full download and incremental patch set version can be downloaded via the [http://download.whmcs.com/ Downloads page]. [[Upgrading|See Manual Upgrade Steps]]

==Release Notes==

===PHPMailer Security Advisory===

'''Exploit type:''' Remote Code Execution in third-party PHPMailer library
'''CVE Numbers:''' CVE-2016-10033 and CVE-2016-10045

====Description====

All versions of the third-party PHPMailer library distributed with WHMCS are vulnerable to a remote code execution vulnerability. This is patched in PHPMailer 5.2.20.

At this time we do not believe the deficiency in PHPMailer is exposed in WHMCS due to our own validation of user input. Furthermore, the vulnerability requires being able to pass user input unfiltered to a message's "from" address, which in WHMCS is only defined within the admin configuration and only accessible to a trusted admin user.

Irrespective of the known protections in the WHMCS product, this CVE represents a serious issue for PHPMailer. Therefore to mitigate any undiscovered risk or risk to 3rd party extensions using PHPMailer directly, we are releasing updates for all versions of WHMCS in active and long term support to provide the latest PHPMailer library version 5.2.21.

The fix provided by PHPMailer in 5.2.20 for CVE-2016-10045 introduces stricter validation of the sender email address. In most cases, this will not present any problems. However, the fix does break RFC compliance for sender addresses and so more obscure email addresses while technically valid may be rejected by PHPMailer following this change.

====Further Reading====

# https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html
# https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html
# https://github.com/PHPMailer/PHPMailer/blob/master/SECURITY.md
# https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities

==Template Changes==

None

==Changelog==

===Version 6.3.2 ===
{{:Changelog:WHMCS V6.3.2}}

__NOTOC__

@@ Line 5: / Line 5: @@
 Release Type: Security<br />
 Release Date: 29th December 2016<br />
-Distribution Types: Full Version, Incremental and via Automatic Updater
+Distribution Types: Full Version and Incremental
 </div>

Version 6.3.2 Release Notes - Revision history

Matt at 18:36, 29 December 2016

Matt: Created page with " Release Information Version: 6.3.2 Release Type: Security Release Date: 29..."

Matt: Created page with "
Release Information
Version: 6.3.2
Release Type: Security
Release Date: 29..."