Overview
A critical flaw has been identified in a widely-used code library commonly used for sending emails in PHP.
The vulnerability stems from the incorrectly sanitized “Sender address” input that can in some circumstances be modified by an attacker to place files with crafted content into arbitrary locations on the web server. These crafted and placed files can then be used to execute arbitrary operating system commands on the underlying server.
Proof of concept exploits have been demonstrated for several major content management systems that make use of PHPMailer, including WordPress, Drupal and Joomla that would allow an unauthenticated attacker to gain full remote code execution on the underlying operating system of the server hosting the web applications.
Is my organization vulnerable?
This vulnerability is extremely far reaching and affects the top 3 most popular content management systems used on the internet. While the specific prerequisites that allow for full remote code execution will not be present in every single instance, the vulnerable features are included in many common components such as contact forms and email-based authentication/password reset features.
SureCloud Platform scanning
Detection for the vulnerability is already included in the SureCloud Vulnerability Manager and will be automatically detected in authenticated scans. It is important to note that web applications that are remotely scanned with no authenticated scanning being performed on the underlying server will currently not be detected by automated scanning.
If there are concerns around a specific web application, please feel free to contact SureCloud directly.
Vulnerability remediation
For custom applications using the PHPMailer library, it can be updated to the latest version to apply the fix. For CMS applications and their various plugins, ensure the latest version of the CMS is used. For plugins, it may take a while for the developers to create the relevant patches. Depending on the risk, it may be worth disabling at-risk plugins until a specific patch is available.
Get in touch
For further information, please contact our security experts. If you are a client, please raise a ticket within the SureCloud Platform or email our support team.
References
- Original LegalHackers Report: https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html
- Official CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10033
- Example Exploit: https://legalhackers.com/exploits/CVE-2016-10033/PHPMailer-RCE-exploit-poc.txt
- Drupal Vulnerability Advisory: https://www.drupal.org/psa-2016-004
- Wordfence Advisory: https://www.wordfence.com/blog/2016/12/phpmailer-vulnerability/