We found this security hole as it was exploited on our own website and we were able to trace the problem. ocProducts is not the originator of the spam sent through our servers, but we apologise upfront for this problem.
To fix this problem:
- choose an appropriate attached file for your PHP version
- extract the included mail.php file
- upload the file to the sources/ directory of your website
A new patch release of ocPortal 3 will be released soon, but new users need not worry because we have re-released the latest version with this patch included.
ocPortal version 2.6.4 has been released (quick installer, manual installer), which has fixed this problem along with a number of other bugs that have been found since version 3 was released. This is the last release of the 2.6.x family and these versions are now officially at their end-of-life. Upgrading to version 3 is strongly recommended.