There is a vulnerability in PHPMailer, a popular library for the organization to send e-mail messages from applications in PHP, the number of users is estimated at 9 million, a critical vulnerability discovered (CVE-2016-10033), which allows to initiate a remote code execution without passing authentication.

The problem is similar to the recently found vulnerability in Roundcube Webmail, and is also associated with unsafe use of PHP-mail () function in conjunction with sendmail utility as the default transport.

The lack of due diligence of the parameter «Sender» (misinterpretation shielded quotes), allows you to organize the transfer of utility sendmail arbitrary command line arguments, including those one can over ride the queue directory and the file with the log that allows you to organize recorded message to an arbitrary file on the local file system on the server rights under which it runs PHP-application.

In particular, an attempt to send a message to the email «Attacker \» -Param2 -Param3 “@ test.com will lead to the implementation of utility sendmail with the following arguments:

Arg no. 0 == [/ usr / sbin / the sendmail]
of Arg the no. 1 == [-t]
of Arg the no. 2 == [-i]
of Arg the no. 3 == [-fAttacker \]
of Arg the no. 4 == [-Param2]
of Arg the no. 5 == [-Param3 “@ test.com]

To write code in /var/www/cache/phpcode.php file as the sender can specify ‘ »attacker \» -oQ / tmp / -X / var / www / cache / phpcode.php some »@ email.com’, that demonstrates the following prototype exploit (option «-X / var / www / cache / phpcode.php» will lead to the creation of the log /var/www/cache/phpcode.php which is written the message body).

This issue is addressed in PHPMailer 5.2.18, all earlier releases affected. Distributions have not yet released the update packages: Debian, RHEL / CentOS, Fedora, Ubuntu, SUSE, openSUSE. The problem manifests itself when using the default settings: off safe_mode, and to send the used PHP-mail () function and sendmail utility (options utility / usr / sbin / sendmail from Postfix project and Exim can not be used to attack, as they ignore the option «-X»).

The vulnerability is exacerbated by the fact that PHPMailer is used in many popular products for the Web, including WordPress, Drupal, Joomla, 1CRM, SugarCRM, Yii and hundreds of other projects.

The attack can be carried out through various forms of sending feedback, registration, communication with the administration and other operations resulting in sending e-mails using PHPMailer. Vulnerable or not a specific system depends on how well they implemented additional testing email-addresses before sending messages via PHPMailer PHPMailer and if the default settings are used.

More than 3000+ Pakistani websites are to be affected by this vulnerability.If you are using the affected version please apply patch.If you have any problems please contact us @ info(at)tier3.pk.