Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 26 Dec 2016 12:57:26 -0500
From: Michael Hess <>
Subject: Re: [security] PHPMailer < 5.2.18 Remote Code
 Execution [CVE-2016-10033]

The Drupal Security team is going to release a PSA on this topic, we
don't normally do it, but given the holiday we will issue PSA-004, in
about 30 min.

The text is below.

Michael on behalf of the Drupal Security Team.

Posted by Drupal Security Team on December 26, 2016 at 12:50pm

Advisory ID: DRUPAL-SA-PSA-2016-004
Project: PHPMailer (third-party library)
Version: 7.x, 8.x
Date: 2016-December-26
Security risk: 23/25 (Highly Critical)
Vulnerability: Arbitrary PHP code execution


The PHPMailer and SMTP modules (and maybe others) add support for
sending e-mails using the 3rd party PHPMailer library.

In general the Drupal project does not create advisories for 3rd party
libraries. Drupal site maintainers should pay attention to the
notifications provided by those 3rd party libraries as outlined in
PSA-2011-002 - External libraries and plugins. However, given the
extreme criticality of this issue and the timing of its release we are
issuing a Public Service Announcement to alert potentially affected
Drupal site maintainers.

CVE identifier(s) issued


Versions affected

All versions of the external PHPMailer library < 5.2.18.

Drupal core is not affected. If you do not use the contributed
PHPMailer third party library, there is nothing you need to do.


Upgrade to the newest version of the phpmailler library.

Reported by

Dawid Golunski

Contact and More Information

The Drupal security team can be reached at security at or
via the contact form at

Learn more about the Drupal Security team and their policies, writing
secure code for Drupal, andsecuring your site.

Follow the Drupal Security Team on Twitter at

On Mon, Dec 26, 2016 at 9:55 AM, Peter Bex <> wrote:
> On Mon, Dec 26, 2016 at 03:46:50PM +0100, Hanno Böck wrote:
>> Hi,
>> Given I had plenty of time on the train to 33c3 I did a quick
>> lookaround on what contains PHPMailer. As the details of the vuln
>> aren't clear yet this doesn't necessarily mean they're vulnerable, just
>> that they ship the affected code.
> It looks like the vulnerability is due to a missing escaping of shell
> arguments in the sender's e-mail address.  This commit seems to be
> the one that fixes the bug:
> So it depends on whether a web form allows one to control the "from"
> mail address or not.
>> Drupal doesn't contain PHPMailer, although mentioned in the advisory.
>> But there are probably plugins and extensions using it. I also saw it
>> used in some wordpress themes.
> I noticed this Drupal module:
> which has some sort of integration with the widely used mimemail module.
> The linked module also uses PHPMailer.
> There are undoubtedly more modules that do.
> The LCMS system Chamilo also uses PHPMailer for sending mails internally.
> Cheers,
> Peter Bex
> --
> [ Security | ]
> [Security team mailing list management and scheduling is documented here |]

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.