On Friday the 13th, Magento announced a new vulnerability in the Email Component of Zend Framework 1 and 2, a component which is used by all Magento 1 and Magento 2 versions.
This vulnerability is serious and can lead to a remote code execution attack if your server uses Sendmail as a mail transport agent. The attack is performed by providing additional quote characters within an address. When unsanitized, they can be interpreted as additional command line arguments to the system sendmail program, leading to the vulnerability.
Magento is currently working to provide patches to close this vulnerability. They also provide a quick solution to prevent your Shop from a possible attack, by checking your mail sending settings and disabling the "Set Return-Path".
Magento 1:
System-> Configuration-> System-> Mail Sending Settings-> Set Return-PathMagento 2:
Stores-> Configuration-> Advanced-> System-> Mail Sending Settings-> Set Return-PathIf “Set Return-Path” is set to “Yes,” and your server uses Sendmail, then your store is vulnerable to this exploit. As the risk is very high it's strongly recommended to turn off the “Set Return-Path” setting (switch to “No”), regardless of the transport agent used.
Update
Ian Cassidy demonstrates an easy way to check and set the Magento mail settings with n98-magerun which is great if you have multiple clients.
Check and set your #magento mail settings easily with #n98magerun great for multiple clients https://t.co/2SqXdFJ6Nk #realmagento #magento2 pic.twitter.com/aH5yittkri
— Ian Cassidy (@iancassidyweb) January 16, 2017
Get mail return path settings for Magento 1 & Magento 2
n98-magerun.phar config:get --scope="default" --scope-id="0" system/smtp/set_return_pathSet mail return path settings for Magento 1 & Magento 2
n98-magerun.phar config:set --scope="default" --scope-id="0" system/smtp/set_return_path 0