oss-sec mailing list archives
Re: PHPMailer < 5.2.18 Remote Code Execution [CVE-2016-10033]
From: Florian Pritz <bluewind () xinu at>
Date: Tue, 27 Dec 2016 12:02:43 +0100
On 27.12.2016 01:10, Tracy Reed wrote:
Particularly since this is command injection which is precisely what SELinux is good at limiting (as opposed to SQL injection).
This is not strictly command injection. It is more similar to an unrestricted file upload vulnerability. The problem is that you can use the sendmail -X option to write a log file of the SMTP dialog (with an arbitrary path) that then contains e.g. php code which you can execute via a second request. php itself actually prevents you from peforming command injection because according to the documentation of the mail() function, the arguments are wrapped in escape_shellcmd() internally. It just doesn't prevent you from passing arbitrary arguments. The attack is described here: https://blog.ripstech.com/2016/roundcube-command-execution-via-email/ Also note that postfix' sendmail implementation does not support the -X option. Additionally I believe there are no other options in postfix' sendmail that are vulnerable to this issue, but feel free to verify this. Florian
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- PHPMailer < 5.2.18 Remote Code Execution [CVE-2016-10033] Dawid Golunski (Dec 25)
- Re: PHPMailer < 5.2.18 Remote Code Execution [CVE-2016-10033] Hanno Böck (Dec 26)
- Re: PHPMailer < 5.2.18 Remote Code Execution [CVE-2016-10033] Peter Bex (Dec 26)
- Re: PHPMailer < 5.2.18 Remote Code Execution [CVE-2016-10033] Peter Bex (Dec 26)
- Re: [security] [oss-security] PHPMailer < 5.2.18 Remote Code Execution [CVE-2016-10033] Michael Hess (Dec 26)
- Re: [security] [oss-security] PHPMailer < 5.2.18 Remote Code Execution [CVE-2016-10033] Yannick Warnier (Dec 26)
- Re: PHPMailer < 5.2.18 Remote Code Execution [CVE-2016-10033] Peter Bex (Dec 26)
- Re: PHPMailer < 5.2.18 Remote Code Execution [CVE-2016-10033] Hanno Böck (Dec 26)
- Re: PHPMailer < 5.2.18 Remote Code Execution [CVE-2016-10033] Tracy Reed (Dec 26)
- Re: PHPMailer < 5.2.18 Remote Code Execution [CVE-2016-10033] Michael Hess (Dec 27)
- Re: PHPMailer < 5.2.18 Remote Code Execution [CVE-2016-10033] Florian Pritz (Dec 27)
- Re: PHPMailer < 5.2.18 Remote Code Execution [CVE-2016-10033] Dawid Golunski (Dec 27)