Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 603750 (CVE-2016-10033)

Summary: <dev-php/PHPMailer-5.2.18: remote code execution (CVE-2016-10033)
Product: Gentoo Security Reporter: Thomas Deutschmann <whissi>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: mjo, php-bugs
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html
See Also: https://bugs.gentoo.org/show_bug.cgi?id=603752
https://bugs.gentoo.org/show_bug.cgi?id=603972
Whiteboard: ~2 [noglsa]
Package list:
Runtime testing required: ---

Description Thomas Deutschmann gentoo-dev Security 2016-12-26 13:08:10 UTC
From $URL:

I. VULNERABILITY
-------------------------

PHPMailer < 5.2.18 Remote Code Execution


II. BACKGROUND
-------------------------

"PHPMailer continues to be the world's most popular transport class, with an
estimated 9 million users worldwide. Downloads continue at a significant
pace daily."

http://phpmailer.worxware.com/


"Probably the world's most popular code for sending email from PHP!
Used by many open-source projects: WordPress, Drupal, 1CRM, SugarCRM, Yii,
Joomla! and many more"

https://github.com/PHPMailer/PHPMailer


III. INTRODUCTION
-------------------------

An independent research uncovered a critical vulnerability in PHPMailer that 
could potentially be used by (unauthenticated) remote attackers to achieve 
remote arbitrary code execution in the context of the web server user and 
remotely compromise the target web application.

To exploit the vulnerability an attacker could target common website
components such as contact/feedback forms, registration forms, password
email resets and others that send out emails with the help of a vulnerable
version of the PHPMailer class.

Note:
This is a limited advisory to give users a chance to urgently update their
PHPMailer class before disclosing the details.
Details of this vulnerability will be published shortly.


IV. DESCRIPTION
-------------------------

To be released

V. PROOF OF CONCEPT EXPLOIT
-------------------------

The researcher has developed a working RCE PoC exploit.

The exploit will be published at a later date.

The researcher also developed an Unauthenticated RCE exploit for a popular 
open-source application (deployed on the Internet on more than a million servers)
as a PoC for real-world exploitation. It might be published after the vendor has 
fixed the vulnerabilities.

Video PoC:
~~~~~~~~~~~~~

https://legalhackers.com/videos/PHPMailer-Exploit-Remote-Code-Exec-Vuln-CVE-2016-10033-PoC.html


VI. BUSINESS IMPACT
-------------------------

A successful exploitation could let remote attackers to gain access to 
the target server in the context of the web server account which could
lead to a full compromise of the web application.

 
VII. SYSTEMS AFFECTED
-------------------------

All versions of PHPMailer before the critical release of 5.2.18 are affected.


VIII. SOLUTION
-------------------------

The vulnerability was responsibly disclosed to PHPMailer vendor.
The vendor released a critical security release of PHPMailer 5.2.18 to fix the
issue as notified at:

https://github.com/PHPMailer/PHPMailer/blob/master/changelog.md

https://github.com/PHPMailer/PHPMailer/blob/master/SECURITY.md


CVE MITRE assigned the following ID to this vulnerability: 

CVE-2016-10033
Comment 1 Thomas Deutschmann gentoo-dev Security 2016-12-26 13:10:13 UTC
@ Maintainer(s): Please bump to >=dev-php/PHPMailer-5.2.19. You can cleanup immediately because package isn't stable.
Comment 2 Michael Orlitzky gentoo-dev 2016-12-26 13:46:17 UTC
New version added, old version removed in f199e0f.
Comment 3 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-01-02 08:29:15 UTC
tree is clean.