Our servers are not vulnerable to the critical PHPMailer security bug CVE-2016-10033

Posted December 28th, 2016 in System Status, Tech Corner. Tags: , , , , .

Many scripts that send e-mail include a file called PHPMailer. The file is distributed as part of WordPress, Joomla, Drupal, and lots more software.

Recently, a security researcher discovered a security bug in PHPMailer. The bug could allow “hackers” to take over a website.

However, sites hosted on our servers are not vulnerable to this problem. (Despite that, you should always update your copy of WordPress, Joomla, or any other software when there’s a new version available.)

Why aren’t site hosted on Tiger Technologies vulnerable?

To compromise a site that uses a vulnerable version of PHPMailer, an attacker needs to cause the “sendmail” program on the server to execute with the obscure “-X” parameter, as in /usr/sbin/sendmail -X file.php -f address@example.com.

Most versions of sendmail support the “-X” parameter. However, the version we use on our servers doesn’t support it, and never has. (It’s the version distributed with the Postfix mail server software.) If someone tries using it, sendmail will simply fail with an error of “fatal: unsupported: -X”.

We also note, though, that there are rumors of other attacks that don’t rely on the “sendmail -X” parameter. It’s not clear if these are real, but just in case, we’ve taken the addition precaution of patching our PHP software to limit the characters PHP scripts can submit to sendmail. As a trivial example, this PHP code:

$email_from = '-f address;@example.com';
mail('address@example.com', 'test', 'test', '', $email_from);

… will now exit because it contains a forbidden semicolon, showing this error:

PHP Fatal error: Forbidden character in sendmail command: '-f address;@example.com

Can I disable this protection?

If the PHP patch mentioned above causes you any trouble, you can disable it by adding this single line to your php.ini settings in our My Account control panel:

tigertech.allowed_mail_parameter_characters =

(It’s correct for there to be nothing after the equal sign.)

As always, if you have any trouble or questions, don’t hesitate to contact us.

  1. Recent Posts

    1. PHP versions 8.2.17 and 8.3.4
    2. President’s Day 2024 holiday hours
    3. PHP versions 8.1.27 and 8.2.15
    4. Martin Luther King, Jr. Day 2024 holiday hours
    5. New Year’s 2024 Holiday Hours
    6. Christmas 2023 Holiday Hours
    7. Brief scheduled maintenance December 16-17, 2023
    8. Thanksgiving 2023 Holiday Hours
    9. PHP versions 8.1.25 and 8.2.12
    10. PHP versions 8.1.24 and 8.2.11

  2. Categories

  3. Tags

    all servers email holiday hours linux mailman maintenance mod_security mysql network php phpmyadmin security server updates spam ssl status updates webmail wordpress zapp

  4. Feeds