Regarding the exploit as detailed and found here:
http://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html
Obviously it is best practise and best policy to keep PHPMailer fully upto date, and that is currently being undertaken on our servers, and I am in no way stating against that.
However, I wanted to clarify as our servers use PHPMailer with SMTP (->isSMTP), so are these still immediately vulnerable to the exploit raised, as that exploit specifically effects PHP mail() function? From my understanding, the sendmail function used by mail does not use SMTP authentication so I hazard that sending messages via authenticated SMTP would not use PHP mail().
Cheers
Indeed - you are only exposed if you are using the default transport (isMail()), which calls mail() internally; SMTP does not call mail, and is not vulnerable. You're not necessarily exposed even if you are using mail() - the key requirement is that you use a user-supplied from address.
More details on the project wiki.
Most helpful comment
Indeed - you are only exposed if you are using the default transport (
isMail()), which callsmail()internally; SMTP does not call mail, and is not vulnerable. You're not necessarily exposed even if you are usingmail()- the key requirement is that you use a user-supplied from address.More details on the project wiki.