Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 26 Dec 2016 15:55:59 +0100
From: Peter Bex <peter@...e-magic.net>
To: oss-security@...ts.openwall.com
Cc: security@...pal.org, security@...milo.org
Subject: Re: PHPMailer < 5.2.18 Remote Code Execution
 [CVE-2016-10033]

On Mon, Dec 26, 2016 at 03:46:50PM +0100, Hanno Böck wrote:
> Hi,
> 
> Given I had plenty of time on the train to 33c3 I did a quick
> lookaround on what contains PHPMailer. As the details of the vuln
> aren't clear yet this doesn't necessarily mean they're vulnerable, just
> that they ship the affected code.

It looks like the vulnerability is due to a missing escaping of shell
arguments in the sender's e-mail address.  This commit seems to be
the one that fixes the bug:
https://github.com/PHPMailer/PHPMailer/commit/4835657cd639fbd09afd33307cef164edf807cdc#diff-ace81e501931d8763b49f2410cf3094dR1449

So it depends on whether a web form allows one to control the "from"
mail address or not.

> Drupal doesn't contain PHPMailer, although mentioned in the advisory.
> But there are probably plugins and extensions using it. I also saw it
> used in some wordpress themes.

I noticed this Drupal module: https://www.drupal.org/project/phpmailer
which has some sort of integration with the widely used mimemail module.
The linked module http://drupal.org/project/smtp also uses PHPMailer.
There are undoubtedly more modules that do.

The LCMS system Chamilo also uses PHPMailer for sending mails internally.

Cheers,
Peter Bex

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ