Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 28 Dec 2016 03:03:39 -0200
From: Dawid Golunski <dawid@...alhackers.com>
To: oss-security@...ts.openwall.com
Subject: PHPMailer < 5.2.20 Remote Code Execution PoC 0day Exploit
 (CVE-2016-10045) (Bypass of the CVE-2016-1033 patch)

PHPMailer < 5.2.20 Remote Code Execution PoC 0day Exploit
(CVE-2016-10045) (Bypass for the CVE-2016-1033 patch)

Discovered by Dawid Golunski (@...id_golunski)
https://legalhackers.com

Desc:

I discovered that the current PHPMailer versions (< 5.2.20) were still
vulnerable to RCE as it is possible to bypass the currently available
patch.

This was reported responsibly to the vendor & assigned a CVEID on the
26th of December.
The vendor has been working on a new patch which would fix the problem but
not break the RFC too badly. The patch should be published very soon.

I'm releasing this as a 0day without the new patch available publicly
as a potential bypass was publicly discussed on oss-sec with Solar
Designer in the PHPMailer < 5.2.18 thread, so holding the advisory
further would serve no purpose.


Current advisory URL:

https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html

More updates soon at:

https://twitter.com/dawid_golunski


-- 
Regards,
Dawid Golunski
https://legalhackers.com
t: @dawid_golunski

View attachment "PHPMailer-fix-bypass.txt" of type "text/plain" (6286 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ