Our servers are not vulnerable to the critical PHPMailer security bug CVE-2016-10033
Many scripts that send e-mail include a file called PHPMailer. The file is distributed as part of WordPress, Joomla, Drupal, and lots more software.
Recently, a security researcher discovered a security bug in PHPMailer. The bug could allow “hackers” to take over a website.
However, sites hosted on our servers are not vulnerable to this problem. (Despite that, you should always update your copy of WordPress, Joomla, or any other software when there’s a new version available.)
Why aren’t site hosted on Tiger Technologies vulnerable?
To compromise a site that uses a vulnerable version of PHPMailer, an attacker needs to cause the “sendmail” program on the server to execute with the obscure “-X” parameter, as in /usr/sbin/sendmail -X file.php -f firstname.lastname@example.org.
Most versions of sendmail support the “-X” parameter. However, the version we use on our servers doesn’t support it, and never has. (It’s the version distributed with the Postfix mail server software.) If someone tries using it, sendmail will simply fail with an error of “fatal: unsupported: -X”.
We also note, though, that there are rumors of other attacks that don’t rely on the “sendmail -X” parameter. It’s not clear if these are real, but just in case, we’ve taken the addition precaution of patching our PHP software to limit the characters PHP scripts can submit to sendmail. As a trivial example, this PHP code:
$email_from = '-f address;@example.com';
mail('email@example.com', 'test', 'test', '', $email_from);
… will now exit because it contains a forbidden semicolon, showing this error:
PHP Fatal error: Forbidden character in sendmail command: '-f address;@example.com
Can I disable this protection?
If the PHP patch mentioned above causes you any trouble, you can disable it by adding this single line to your php.ini settings in our My Account control panel:
(It’s correct for there to be nothing after the equal sign.)
As always, if you have any trouble or questions, don’t hesitate to contact us.