Hacker News new | past | comments | ask | show | jobs | submit login
PHPMailer RCE (legalhackers.com)
46 points by easychris on Dec 26, 2016 | hide | past | favorite | 10 comments

No details on what the actual issue was, but I think it's fixed in this commit[1]. Seems like the escapeshellargs addition is the important bit.


It seems a bit... odd... to try and embargo/withhold information about a vulnerability when the fix is publicly available on their github for anybody to see.

1. https://github.com/PHPMailer/PHPMailer/commit/4835657cd639fb...

That added call to escapeshellarg sanitizes the "From" address before passing it to PHP's mail() function as an additional parameter. That function will invoke a preconfigured executable (sendmail or a compatible wrapper) and pass that parameter to it along with the rest of the email data. It is worth noting that:

1) PHPMailer can be configured to send mail through raw SMTP, by directly invoking sendmail, or by calling PHP's mail() function. The changes in this commit only affect the last mode.

2) The "From" address is typically chosen by the site operator/server administrator, not customizable by a site visitor. I have built sites with "share this page with a friend" functionality that sent email from one given email address to another, but this practice seems to have fallen out of favour when SPF became popular.

Perhaps "limited advisories" are always damaging because they can lead users to think not everyone "knows" about the vuln and thus that they have extra time to patch, whereas most people who understand the issues generally won't have much trouble finding the exploit once they have a clue of where to look (especially in code like this).

Seems to come from the From email field: https://github.com/PHPMailer/PHPMailer/compare/v5.2.17...v5....

More details here: https://www.saotn.org/exploit-phps-mail-get-remote-code-exec...

PHP mail doc: http://php.net/manual/en/function.mail.php

A function that allows to pass arbitrary flags to a command line, what could go wrong... :)

    mail('nobody@example.com', 'the subject', 'the message', null, '-fwebmaster@example.com');

In case anyone needs this:

A script for finding vulnerable versions of PHPMailer on a server:


Finds also really old versions like 2.0.4.

Find is a powerful tool:

    find /var/www -name 'class.phpmailer.php' -print -exec grep -ni '%s["'\''], $this->Sender' {} \;

If I understand, only implementations using "sendmail" (ie. not mail() or SMTP) are affected.

That's not correct, the added escapeshellarg() call is inside the mailSend() function, which sends mail through php's mail(). See [1].

[1]: https://github.com/PHPMailer/PHPMailer/blame/4835657cd639fbd...

But, if something comes into the mail server via SMTP, it's gonna be protected by the mail servers own defenses. Unless the MTA also has a similar vulnerability, it wouldn't be dangerous in the SMTP case. Right? Or are you saying just the PHP mail() function is similarly exploitable?

The parent post said "only implementations using sendmail (ie. not mail() or SMTP) are affected".

From my reading of the code, "only implementations using mail() (ie. not sendmail or SMTP) are affected".

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact