Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 27 Dec 2016 13:08:52 -0200
From: Dawid Golunski <>
Subject: Re: PHPMailer < 5.2.18 Remote Code Execution [CVE-2016-10033]

I attached an updated advisory in a new thread.

For anyone looking for it on this thread, the latest version is at:

On Mon, Dec 26, 2016 at 10:10 PM, Tracy Reed <> wrote:
> Note that confining the http process using SELinux or similar MAC system
> can go a long way to constraining and limiting the damage of inevitable
> vulnerabilities such as this. Particularly since this is command
> injection which is precisely what SELinux is good at limiting (as
> opposed to SQL injection).
> My shop has a policy that SELinux will be enabled on all web
> applications and it has already saved us a few times despite being very
> good at getting things patched up promptly.
> On Sun, Dec 25, 2016 at 06:21:07PM PST, Dawid Golunski spake thusly:
>> PHPMailer < 5.2.18 Remote Code Execution [CVE-2016-10033]
>> Severity: CRITICAL
>> Discovered by:
>> Dawid Golunski (@dawid_golunski)
>> PHPMailer
>> "Probably the world's most popular code for sending email from PHP!
>> Used by many open-source projects: WordPress, Drupal, 1CRM, SugarCRM, Yii,
>> Joomla! and many more"
>> Desc:
>> An independent research uncovered a critical vulnerability in PHPMailer that
>> could potentially be used by (unauthenticated) remote attackers to achieve
>> remote arbitrary code execution in the context of the web server user and
>> remotely compromise the target web application.
>> To exploit the vulnerability an attacker could target common website
>> components such as contact/feedback forms, registration forms, password
>> email resets and others that send out emails with the help of a vulnerable
>> version of the PHPMailer class.
>> Patching:
>> Responsibly disclosed to PHPMailer team.
>> They've released a critical security release.
>> If you are using an affected release update to the 5.2.18 security
>> release as advised at:
>> Notes:
>> I know this is a bad timing and a short notice (for everyone probably ;)
>> I've spent most of my Christmas break working on this issue with
>> affected vendors.
>> This has been quite a rush as one of the vendors leaked excessive
>> information on this vulnerability at one point which could aid
>> potential attackers.
>> I've released a limited advisory at the link below:
>> This is to give people a chance to immediately patch or at least be
>> aware of the issue before we get closer to a working day/end of
>> holiday for affected users to act on this issue.
>> I'm planning to release the full advisory and a PoC exploit shortly so
>> that everyone is on the same page.
>> Upcoming video PoC:
>> For updates follow:
>> I'll also send another email to the list once it is published.
>> For now,
>> Patch it now before someone else patches it for you (through a reverse shell ;)
>> --
>> Regards,
>> Dawid Golunski
>> t: @dawid_golunski
> --
> Tracy Reed

Dawid Golunski
t: @dawid_golunski

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ