
PHPMailer RCE - easychris
https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html
======
orf
No details on what the actual issue was, but I think it's fixed in this
commit[1]. Seems like the escapeshellargs addition is the important bit.

 _Sigh_

It seems a bit... odd... to try and embargo/withhold information about a
vulnerability when the fix is publicly available on their github for anybody
to see.

1\.
[https://github.com/PHPMailer/PHPMailer/commit/4835657cd639fb...](https://github.com/PHPMailer/PHPMailer/commit/4835657cd639fbd09afd33307cef164edf807cdc)

~~~
DCoder
That added call to escapeshellarg sanitizes the "From" address before passing
it to PHP's mail() function as an additional parameter. That function will
invoke a preconfigured executable (sendmail or a compatible wrapper) and pass
that parameter to it along with the rest of the email data. It is worth noting
that:

1) PHPMailer can be configured to send mail through raw SMTP, by directly
invoking sendmail, or by calling PHP's mail() function. The changes in this
commit only affect the last mode.

2) The "From" address is typically chosen by the site operator/server
administrator, not customizable by a site visitor. I have built sites with
"share this page with a friend" functionality that sent email from one given
email address to another, but this practice seems to have fallen out of favour
when SPF became popular.

------
dorianm
Seems to come from the From email field:
[https://github.com/PHPMailer/PHPMailer/compare/v5.2.17...v5....](https://github.com/PHPMailer/PHPMailer/compare/v5.2.17...v5.2.18)

More details here: [https://www.saotn.org/exploit-phps-mail-get-remote-code-
exec...](https://www.saotn.org/exploit-phps-mail-get-remote-code-execution/)

PHP mail doc:
[http://php.net/manual/en/function.mail.php](http://php.net/manual/en/function.mail.php)

A function that allows to pass arbitrary flags to a command line, what could
go wrong... :)

    
    
        mail('nobody@example.com', 'the subject', 'the message', null, '-fwebmaster@example.com');

------
cebe
In case anyone needs this:

A script for finding vulnerable versions of PHPMailer on a server:

[https://gist.github.com/cebe/d0f5631b432c520a2e6f6be8beddf11...](https://gist.github.com/cebe/d0f5631b432c520a2e6f6be8beddf116)

Finds also really old versions like 2.0.4.

~~~
etcet
Find is a powerful tool:

    
    
        find /var/www -name 'class.phpmailer.php' -print -exec grep -ni '%s["'\''], $this->Sender' {} \;

------
janci
If I understand, only implementations using "sendmail" (ie. not mail() or
SMTP) are affected.

~~~
DCoder
That's not correct, the added escapeshellarg() call is inside the mailSend()
function, which sends mail through php's mail(). See [1].

[1]:
[https://github.com/PHPMailer/PHPMailer/blame/4835657cd639fbd...](https://github.com/PHPMailer/PHPMailer/blame/4835657cd639fbd09afd33307cef164edf807cdc/class.phpmailer.php#L1438-L1449)

~~~
SwellJoe
But, if something comes into the mail server via SMTP, it's gonna be protected
by the mail servers own defenses. Unless the MTA also has a similar
vulnerability, it wouldn't be dangerous in the SMTP case. Right? Or are you
saying just the PHP mail() function is similarly exploitable?

~~~
DCoder
The parent post said "only implementations using sendmail (ie. not mail() or
SMTP) are affected".

From my reading of the code, "only implementations using mail() (ie. not
sendmail or SMTP) are affected".

