PHPMailer RCE (opens in new tab)

(legalhackers.com)

46 pointseasychris9y ago10 comments

10 comments

9 comments · 4 top-level

orf9y ago· 2 in thread

No details on what the actual issue was, but I think it's fixed in this commit[1]. Seems like the escapeshellargs addition is the important bit.

Sigh

It seems a bit... odd... to try and embargo/withhold information about a vulnerability when the fix is publicly available on their github for anybody to see.

1. https://github.com/PHPMailer/PHPMailer/commit/4835657cd639fb...

DCoder9y ago

That added call to escapeshellarg sanitizes the "From" address before passing it to PHP's mail() function as an additional parameter. That function will invoke a preconfigured executable (sendmail or a compatible wrapper) and pass that parameter to it along with the rest of the email data. It is worth noting that:

1) PHPMailer can be configured to send mail through raw SMTP, by directly invoking sendmail, or by calling PHP's mail() function. The changes in this commit only affect the last mode.

2) The "From" address is typically chosen by the site operator/server administrator, not customizable by a site visitor. I have built sites with "share this page with a friend" functionality that sent email from one given email address to another, but this practice seems to have fallen out of favour when SPF became popular.

drvdevd9y ago

Perhaps "limited advisories" are always damaging because they can lead users to think not everyone "knows" about the vuln and thus that they have extra time to patch, whereas most people who understand the issues generally won't have much trouble finding the exploit once they have a clue of where to look (especially in code like this).

janci9y ago· 2 in thread

If I understand, only implementations using "sendmail" (ie. not mail() or SMTP) are affected.

DCoder9y ago

That's not correct, the added escapeshellarg() call is inside the mailSend() function, which sends mail through php's mail(). See [1].

[1]: https://github.com/PHPMailer/PHPMailer/blame/4835657cd639fbd...

SwellJoe9y ago

But, if something comes into the mail server via SMTP, it's gonna be protected by the mail servers own defenses. Unless the MTA also has a similar vulnerability, it wouldn't be dangerous in the SMTP case. Right? Or are you saying just the PHP mail() function is similarly exploitable?

1 more reply

cebe9y ago· 1 in thread

In case anyone needs this:

A script for finding vulnerable versions of PHPMailer on a server:

https://gist.github.com/cebe/d0f5631b432c520a2e6f6be8beddf11...

Finds also really old versions like 2.0.4.

etcet9y ago

Find is a powerful tool:

    find /var/www -name 'class.phpmailer.php' -print -exec grep -ni '%s["'\''], $this->Sender' {} \;

1 more reply

dorianm9y ago

Seems to come from the From email field: https://github.com/PHPMailer/PHPMailer/compare/v5.2.17...v5....

More details here: https://www.saotn.org/exploit-phps-mail-get-remote-code-exec...

PHP mail doc: http://php.net/manual/en/function.mail.php

A function that allows to pass arbitrary flags to a command line, what could go wrong... :)

    mail('nobody@example.com', 'the subject', 'the message', null, '-fwebmaster@example.com');

j / k navigate · click thread line to collapse

10 comments

9 comments · 4 top-level

orf9y ago· 2 in thread

No details on what the actual issue was, but I think it's fixed in this commit[1]. Seems like the escapeshellargs addition is the important bit.

Sigh

It seems a bit... odd... to try and embargo/withhold information about a vulnerability when the fix is publicly available on their github for anybody to see.

1. https://github.com/PHPMailer/PHPMailer/commit/4835657cd639fb...

DCoder9y ago

1) PHPMailer can be configured to send mail through raw SMTP, by directly invoking sendmail, or by calling PHP's mail() function. The changes in this commit only affect the last mode.

drvdevd9y ago

janci9y ago· 2 in thread

If I understand, only implementations using "sendmail" (ie. not mail() or SMTP) are affected.

DCoder9y ago

That's not correct, the added escapeshellarg() call is inside the mailSend() function, which sends mail through php's mail(). See [1].

[1]: https://github.com/PHPMailer/PHPMailer/blame/4835657cd639fbd...

SwellJoe9y ago

1 more reply

cebe9y ago· 1 in thread

In case anyone needs this:

A script for finding vulnerable versions of PHPMailer on a server:

https://gist.github.com/cebe/d0f5631b432c520a2e6f6be8beddf11...

Finds also really old versions like 2.0.4.

etcet9y ago

Find is a powerful tool:

    find /var/www -name 'class.phpmailer.php' -print -exec grep -ni '%s["'\''], $this->Sender' {} \;

1 more reply

dorianm9y ago

Seems to come from the From email field: https://github.com/PHPMailer/PHPMailer/compare/v5.2.17...v5....

More details here: https://www.saotn.org/exploit-phps-mail-get-remote-code-exec...

PHP mail doc: http://php.net/manual/en/function.mail.php

A function that allows to pass arbitrary flags to a command line, what could go wrong... :)

    mail('nobody@example.com', 'the subject', 'the message', null, '-fwebmaster@example.com');

j / k navigate · click thread line to collapse