Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 27 Dec 2016 12:02:43 +0100
From: Florian Pritz <bluewind@...u.at>
To: oss-security@...ts.openwall.com
Subject: Re: PHPMailer < 5.2.18 Remote Code Execution
 [CVE-2016-10033]

On 27.12.2016 01:10, Tracy Reed wrote:
> Particularly since this is command
> injection which is precisely what SELinux is good at limiting (as
> opposed to SQL injection).

This is not strictly command injection. It is more similar to an
unrestricted file upload vulnerability. The problem is that you can use
the sendmail -X option to write a log file of the SMTP dialog (with an
arbitrary path) that then contains e.g. php code which you can execute
via a second request. php itself actually prevents you from peforming
command injection because according to the documentation of the mail()
function, the arguments are wrapped in escape_shellcmd() internally. It
just doesn't prevent you from passing arbitrary arguments.

The attack is described here:
https://blog.ripstech.com/2016/roundcube-command-execution-via-email/

Also note that postfix' sendmail implementation does not support the -X
option. Additionally I believe there are no other options in postfix'
sendmail that are vulnerable to this issue, but feel free to verify this.

Florian



Download attachment "signature.asc" of type "application/pgp-signature" (859 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.