Dawid Golunski, a Polish researcher, has recently detected a serious remote code execution vulnerability in PHPMailer. The vulnerability has been published at legalhackers.com, but the exploitation details and PoC are not included.
See the following for more information about the vulnerability.
PHPMailer remote code execution vulnerability
The vulnerability allows a remote attacker to run arbitrary code in the web server account environment, which threatens web applications. The vulnerability is exploited mainly in common web forms, such as opinion feedback forms, registration forms, and mail password reset forms.
As the sender’s email address is not escaped to the shell command during transmission, the attacker can add the shell command to the sender’s email to run malicious code on the target machine or website.
Condition and method of exploitation
The vulnerability can be exploited remotely when the ssh-agent process is enabled. However, this process is disabled by default and is used only in the case of password-free logon between hosts.
- WordPress, Drupal, 1CRM, and Joomla! that use PHPMailer’s open-source CMS
- PHPMailer earlier than 5.2.18
How to fix or mitigate
Upgrade to the official release 5.2.18 or later.