Re: PHPMailer < 5.2.18 Remote Code Execution [CVE-2016-10033]

[Peter Bex <peter () more-magic net>]

On Mon, Dec 26, 2016 at 03:46:50PM +0100, Hanno Böck wrote:
> Hi,
>
> Given I had plenty of time on the train to 33c3 I did a quick
> lookaround on what contains PHPMailer. As the details of the vuln
> aren't clear yet this doesn't necessarily mean they're vulnerable, just
> that they ship the affected code.

It looks like the vulnerability is due to a missing escaping of shell
arguments in the sender's e-mail address.  This commit seems to be
the one that fixes the bug:
https://github.com/PHPMailer/PHPMailer/commit/4835657cd639fbd09afd33307cef164edf807cdc#diff-ace81e501931d8763b49f2410cf3094dR1449

So it depends on whether a web form allows one to control the "from"
mail address or not.

> Drupal doesn't contain PHPMailer, although mentioned in the advisory.
> But there are probably plugins and extensions using it. I also saw it
> used in some wordpress themes.

I noticed this Drupal module: https://www.drupal.org/project/phpmailer
which has some sort of integration with the widely used mimemail module.
The linked module http://drupal.org/project/smtp also uses PHPMailer.
There are undoubtedly more modules that do.

The LCMS system Chamilo also uses PHPMailer for sending mails internally.

Cheers,
Peter Bex

Attachment: signature.asc
Description: Digital signature