[wp-trac] [WordPress Trac] #18792: Wrong FROM email when using wp_mail and built in mail() function

WordPress Trac noreply at wordpress.org
Mon Oct 21 21:07:07 UTC 2013 

#18792: Wrong FROM email when using wp_mail and built in mail() function
-------------------------------------------------+-------------------------
 Reporter:  pigster                              |       Owner:  westi
     Type:  defect (bug)                         |      Status:  accepted
 Priority:  normal                               |   Milestone:  Awaiting
Component:  External Libraries                   |  Review
 Severity:  major                                |     Version:  3.2.1
 Keywords:  has-patch needs-testing needs-unit-  |  Resolution:
  tests 2nd-opinion                              |
-------------------------------------------------+-------------------------

Comment (by MaximumResults):

 Replying to [comment:10 SergeyBiryukov]:
 > Minor releases are for security and regression fixes only. With enough
 testing, the patch can still make it into 3.7 or 3.8.

 I would suggest that this is a security issue in many instances.

 If you host your WordPress site on a cPanel hosting service, any mail sent
 with wp_mail() that doesn't set the "Sender:" and "Reply-To:" headers with
 $phpmailer->SetFrom() as shown in the patch will include the cPanel login
 name and the hosting server hostname in the email headers.

 Some of those emails (registration confirmation, forgotten passwords,
 confirmation emails from form mailer plugins) could go to external
 entities including bots that might be playing with forms on the site.

 With the details from the email, the recipient of the email has almost
 everything needed to log in to cPanel on the hosting server and create
 problems. The only thing missing is the cPanel password.

 Replying to [comment:10 SergeyBiryukov]:
 > Replying to [comment:9 gruvin]:
 > > OK. Here's a patch that takes care of all of the above.
 >
 > 1. `class-phpmailer.php` is an external library, so we should avoing
 changing it unless it's something worth reporting upstream. Since all
 those properties are public, we can clear them in `wp_mail()` as needed.
 > 2. Please attach the patch as a file instead of pasting it in the
 comment box.

 I would also suggest using this for the new code:

 {{{
         $phpmailer->SetFrom(apply_filters('wp_mail_from',
 $from_email),apply_filters('wp_mail_from_name', $from_name),true);
 }}}
 The current version of class-phpmailer.php does default to 1 for the third
 parameter ($auto within the SetFrom() function), but $this->Sender and
 $this->ReplyTo are set inside a block with "if ($auto) {/*...Set Reply-to
 and Sender...*/}"  Specifying an explicit true on that parameter might be
 wise, just in case defaults change in a future version of class-
 phpmailer.php.

--
Ticket URL: <http://core.trac.wordpress.org/ticket/18792#comment:14>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list