A new vulnerability has been found in a Zend Framework 1 and 2 EMAIL COMPONENT. The component is used by all Magento 1 and Magento 2 software and other PHP solutions. This vulnerability is serious and can lead to a remote code execution attack if your server uses Sendmail as a mail transport agent.
A remote code execution attack gives the attacker the ability to trigger arbitrary code execution from one machine on another and is powerful because it allows the attacker to completely take over the vulnerable process. This vulnerability can provide an attacker with the ability to execute malicious code and take complete control of an affected system with the privileges of the user running the application.
While there have yet to be any attacks from this vulnerability, the risk high. Magento are currently working to provide security patches to close the vulnerability which should be available in the next few weeks but until then, it’s recommended that you check your mail sending settings:
- Magento 1: System-> Configuration-> Advanced-> System-> Mail Sending Settings-> Set Return-Path
- Magento 2: Stores-> Configuration-> Advanced-> System-> Mail Sending Settings-> Set Return-Path
In the system settings used to control the “reply to” address for email sent from your Magento store, your “set return-path” needs to be changed to ‘No’ if the server is currently using Sendmail. At Nimbus we use Postfix rather than Sendmail so it shouldn’t cause a problem but it’s advisable that you check and set the return-path to ‘No’ regardless of your email server or transport agent.
You can read more on the Magento Security Centre HERE