edit-icon download-icon

[Vulnerability notice] CVE-2016-10033: Remote code execution vulnerability in PHPMailer

Last Updated: Apr 18, 2018

Dawid Golunski, a Polish researcher, has recently detected a serious remote code execution vulnerability in PHPMailer. The vulnerability has been published at legalhackers.com, but the exploitation details and PoC are not included.

See the following for more information about the vulnerability.


CVE identifier

CVE-2016-10033

Vulnerability name

PHPMailer remote code execution vulnerability

Vulnerability rating

High

Vulnerability description

The vulnerability allows a remote attacker to run arbitrary code in the web server account environment, which threatens web applications. The vulnerability is exploited mainly in common web forms, such as opinion feedback forms, registration forms, and mail password reset forms.

As the sender’s email address is not escaped to the shell command during transmission, the attacker can add the shell command to the sender’s email to run malicious code on the target machine or website.

Condition and method of exploitation

The vulnerability can be exploited remotely when the ssh-agent process is enabled. However, this process is disabled by default and is used only in the case of password-free logon between hosts.

Affected scope

  • WordPress, Drupal, 1CRM, and Joomla! that use PHPMailer’s open-source CMS
  • PHPMailer earlier than 5.2.18

How to fix or mitigate

Upgrade to the official release 5.2.18 or later.

Reference

[1]. https://github.com/PHPMailer/PHPMailer/blob/master/changelog.md
[2]. https://github.com/PHPMailer/PHPMailer/blob/master/SECURITY.md

Thank you! We've received your feedback.