Security statement on Community Builder 2.1.1 regarding third-party libraries PHPMailer and Guzzle

Print

First of all, Community Builder and our CB Add-ons are not vulnerable to following third-party libraries vulnerabilities, in default or in any reasonable configuration. Additionally, third-party CB add-ons using correctly the CB API should also not be vulnerable through these third-party libraries vulnerabilities.

The CB team is following security news and Beat is part of the Joomla Security Strike Team (JSST). Thus we are usually aware very early of new vulnerabilities potentially affecting Community Builder or our add-ons. For all vulnerabilities of third-party libraries below, we have usually been aware within hours of the issues, and could each time assess with highest priority that those vulnerabilities could not be exploited through Community Builder or any of our Add-ons.

The CB Team implements using defensive programming techniques. This means that we often have multiple levels of protections and user-inputed data filterings, handling default cases, and always escaping at the right place, so that security reviews are easy. Also, no code change is made in core CB without peer-review inside the team. As a matter of fact, with CB 2.1.1, we are celebrating the 1234th merge-requests since CB 2.0! Each of those merge requests has been peer-reviewed and security-audited before being added to CB.

Community Builder 2.1.1 includes the newest PHPMailer 5.2.22 third party emailing library and a security-improved version of Guzzle HTTP/HTTPS requests third-party library.

As both libraries have experienced security vulnerabilities and fixes lately, CB team is issuing the following security statement on those issues and their non-exploitability in Community Builder.

PHPMailer Security Advisory

CB 2.0 through 2.1.0 includes the third party library PHPMailer 5.2.8, but its vulnerabilities are not exploitable in CB with default or any reasonably possible settings.

The information given below is just for open information.

We cannot assert security of third-party add-ons and Joomla extensions. But if the CB API is properly used, those third-party library-level-vulnerabilities should not exploitable in third-party addons.

1. Exploit type: Remote Code Execution in third-party PHPMailer library

2. Exploit type: Local file disclosure

3. Exploit type: Arbitrary message sending

4. Exploit type: Remote code execution

Guzzle Security Advisory

CB 2.0 through 2.1.0 includes the third party library PHPMailer 5.2.8, but its vulnerabilities are not exploitable in CB with default or any reasonably possible settings.

The information given below is just for open information.

We cannot assert security of third-party add-ons and Joomla extensions. But if the CB API is properly used, those third-party library-level-vulnerabilities should not exploitable in third-party addons.

1. Exploit type: HTTP request interception with the "httpoxy" HTTP_PROXY vulnerability of Apache and of PHP to which Guzzle was also vulnerable.