CVE-2016-10045: Remote code execution in PHPMailer
(updated )
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code by leveraging improper interaction between the escapeshellarg function and internal escaping performed in the mail function in PHP. NOTE: this vulnerability exists because of an incorrect fix for CVE-2016-10033.
This issue really emphasises that it's worth avoiding the built-in PHP mail() function entirely.
References
- developer.joomla.org/security-centre/668-20161205-phpmailer-security-advisory.html
- github.com/FriendsOfPHP/security-advisories/blob/master/phpmailer/phpmailer/CVE-2016-10045.yaml
- github.com/PHPMailer/PHPMailer
- github.com/PHPMailer/PHPMailer/releases/tag/v5.2.20
- github.com/PHPMailer/PHPMailer/security/advisories/GHSA-4pc3-96mx-wwc8
- github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities
- github.com/advisories/GHSA-4pc3-96mx-wwc8
- legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html
- nvd.nist.gov/vuln/detail/CVE-2016-10045
- www.exploit-db.com/exploits/40969
- www.exploit-db.com/exploits/40986
- www.exploit-db.com/exploits/42221
Code Behaviors & Features
Detect and mitigate CVE-2016-10045 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →