Date: Tue, 27 Dec 2016 12:02:43 +0100 From: Florian Pritz <bluewind@...u.at> To: oss-security@...ts.openwall.com Subject: Re: PHPMailer < 5.2.18 Remote Code Execution [CVE-2016-10033] On 27.12.2016 01:10, Tracy Reed wrote: > Particularly since this is command > injection which is precisely what SELinux is good at limiting (as > opposed to SQL injection). This is not strictly command injection. It is more similar to an unrestricted file upload vulnerability. The problem is that you can use the sendmail -X option to write a log file of the SMTP dialog (with an arbitrary path) that then contains e.g. php code which you can execute via a second request. php itself actually prevents you from peforming command injection because according to the documentation of the mail() function, the arguments are wrapped in escape_shellcmd() internally. It just doesn't prevent you from passing arbitrary arguments. The attack is described here: https://blog.ripstech.com/2016/roundcube-command-execution-via-email/ Also note that postfix' sendmail implementation does not support the -X option. Additionally I believe there are no other options in postfix' sendmail that are vulnerable to this issue, but feel free to verify this. Florian Download attachment "signature.asc" of type "application/pgp-signature" (859 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ