Date: Mon, 26 Dec 2016 15:55:59 +0100 From: Peter Bex <peter@...e-magic.net> To: oss-security@...ts.openwall.com Cc: security@...pal.org, security@...milo.org Subject: Re: PHPMailer < 5.2.18 Remote Code Execution [CVE-2016-10033] On Mon, Dec 26, 2016 at 03:46:50PM +0100, Hanno Böck wrote: > Hi, > > Given I had plenty of time on the train to 33c3 I did a quick > lookaround on what contains PHPMailer. As the details of the vuln > aren't clear yet this doesn't necessarily mean they're vulnerable, just > that they ship the affected code. It looks like the vulnerability is due to a missing escaping of shell arguments in the sender's e-mail address. This commit seems to be the one that fixes the bug: https://github.com/PHPMailer/PHPMailer/commit/4835657cd639fbd09afd33307cef164edf807cdc#diff-ace81e501931d8763b49f2410cf3094dR1449 So it depends on whether a web form allows one to control the "from" mail address or not. > Drupal doesn't contain PHPMailer, although mentioned in the advisory. > But there are probably plugins and extensions using it. I also saw it > used in some wordpress themes. I noticed this Drupal module: https://www.drupal.org/project/phpmailer which has some sort of integration with the widely used mimemail module. The linked module http://drupal.org/project/smtp also uses PHPMailer. There are undoubtedly more modules that do. The LCMS system Chamilo also uses PHPMailer for sending mails internally. Cheers, Peter Bex [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ