Date: Tue, 27 Dec 2016 12:02:43 +0100 From: Florian Pritz <bluewind@...u.at> To: oss-security@...ts.openwall.com Subject: Re: PHPMailer < 5.2.18 Remote Code Execution [CVE-2016-10033] On 27.12.2016 01:10, Tracy Reed wrote: > Particularly since this is command > injection which is precisely what SELinux is good at limiting (as > opposed to SQL injection). This is not strictly command injection. It is more similar to an unrestricted file upload vulnerability. The problem is that you can use the sendmail -X option to write a log file of the SMTP dialog (with an arbitrary path) that then contains e.g. php code which you can execute via a second request. php itself actually prevents you from peforming command injection because according to the documentation of the mail() function, the arguments are wrapped in escape_shellcmd() internally. It just doesn't prevent you from passing arbitrary arguments. The attack is described here: https://blog.ripstech.com/2016/roundcube-command-execution-via-email/ Also note that postfix' sendmail implementation does not support the -X option. Additionally I believe there are no other options in postfix' sendmail that are vulnerable to this issue, but feel free to verify this. Florian Download attachment "signature.asc" of type "application/pgp-signature" (859 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.