oss-sec mailing list archives
Re: PHPMailer < 5.2.18 Remote Code Execution [CVE-2016-10033]
From: Peter Bex <peter () more-magic net>
Date: Mon, 26 Dec 2016 15:55:59 +0100
On Mon, Dec 26, 2016 at 03:46:50PM +0100, Hanno Böck wrote:
Hi, Given I had plenty of time on the train to 33c3 I did a quick lookaround on what contains PHPMailer. As the details of the vuln aren't clear yet this doesn't necessarily mean they're vulnerable, just that they ship the affected code.
It looks like the vulnerability is due to a missing escaping of shell arguments in the sender's e-mail address. This commit seems to be the one that fixes the bug: https://github.com/PHPMailer/PHPMailer/commit/4835657cd639fbd09afd33307cef164edf807cdc#diff-ace81e501931d8763b49f2410cf3094dR1449 So it depends on whether a web form allows one to control the "from" mail address or not.
Drupal doesn't contain PHPMailer, although mentioned in the advisory. But there are probably plugins and extensions using it. I also saw it used in some wordpress themes.
I noticed this Drupal module: https://www.drupal.org/project/phpmailer which has some sort of integration with the widely used mimemail module. The linked module http://drupal.org/project/smtp also uses PHPMailer. There are undoubtedly more modules that do. The LCMS system Chamilo also uses PHPMailer for sending mails internally. Cheers, Peter Bex
Attachment:
signature.asc
Description: Digital signature
Current thread:
- PHPMailer < 5.2.18 Remote Code Execution [CVE-2016-10033] Dawid Golunski (Dec 25)
- Re: PHPMailer < 5.2.18 Remote Code Execution [CVE-2016-10033] Hanno Böck (Dec 26)
- Re: PHPMailer < 5.2.18 Remote Code Execution [CVE-2016-10033] Peter Bex (Dec 26)
- Re: PHPMailer < 5.2.18 Remote Code Execution [CVE-2016-10033] Peter Bex (Dec 26)
- Re: [security] [oss-security] PHPMailer < 5.2.18 Remote Code Execution [CVE-2016-10033] Michael Hess (Dec 26)
- Re: [security] [oss-security] PHPMailer < 5.2.18 Remote Code Execution [CVE-2016-10033] Yannick Warnier (Dec 26)
- Re: PHPMailer < 5.2.18 Remote Code Execution [CVE-2016-10033] Peter Bex (Dec 26)
- Re: PHPMailer < 5.2.18 Remote Code Execution [CVE-2016-10033] Hanno Böck (Dec 26)
- Re: PHPMailer < 5.2.18 Remote Code Execution [CVE-2016-10033] Tracy Reed (Dec 26)
- Re: PHPMailer < 5.2.18 Remote Code Execution [CVE-2016-10033] Michael Hess (Dec 27)
- Re: PHPMailer < 5.2.18 Remote Code Execution [CVE-2016-10033] Florian Pritz (Dec 27)
- Re: PHPMailer < 5.2.18 Remote Code Execution [CVE-2016-10033] Dawid Golunski (Dec 27)