PHPMailer vulnerability

If you don’t think you’ve used PHPMailer, you’re probably wrong. In fact, 9 million sites out there use the code libraries to handle such tasks as submitting emails, registrations forms, password email resets etc.

Subsequently, you might not be too pleased to hear that a vulnerability has been discovered affecting one of the libraries’ components, leaving millions of websites open to attack.

The PHPMailer Vulnerability

Dawid Golunski first privately notified PHP Mailer’s authors, giving them a grace period as is customary. This led to a software update quickly being distributed. All well that ends well, right?

Unfortunately, a couple of days later Golunski found a bypass of PHPMailer’s patch, meaning all PHPMailer versions were once again vulnerable. Consequently, we now have a zero-day vulnerability on our hands – a bug which is publicly known and unpatched.

What’s the Danger?

PHPMailer unsurprisingly uses PHP, an open source scripting language which is embedded into some websites HTML. WordPress, Joomla and Drupal are just a taste of some of the big names which use the code libraries. Furthermore, even if PHP isn’t directly included in a website’s core code, there’s a good chance it’s available as a separate module, or combined with a third-party add-on.

The danger of the bug is that remote attackers can achieve remote arbitrary code execution in the context of a webserver, which would then allow them to remotely compromise the web application they have targeted. In a nutshell, the PHPMailer vulnerability centers around attackers being able to inject arbitrary options, in the form of unverified email addresses into PHPMailer’s Sendmail command line. These unverified email addresses can then create command line arguments, which then cause PHPMailer’s remote code execution vulnerability.

WordPress and Drupal were both quick to sound the security sirens and warn users about the PHPMailer vulnerability.

Vulnerability Information

All PHPMailer versions before the current one (5.2.18) are affected.

The PHPMailer vulnerability has been assigned CVE-2016-10045.However, information regarding the bug’s severity, exploits and attack vectors are thin on the ground. This because the CVE still has a reserved status to allow more time for patching.

What’s Next…

If you’re a WordPress user, you’ll be pleased to know that that upcoming 4.7.1 release is set to bash the bug.

Furthermore, if your website directly uses PHPMailer in its core code, you should upgrade your library as soon as the latest patched version is released. Also, it’s a good idea to check if any of your site’s forms (e.g. contact, feedback, registration, email etc), use any of PHPMailer’s vulnerable versions to send out emails, and whether would-be attackers can input the sender email address into the affected field.

Hopefully, it won’t be too long before a public and universal patch is pushed for the PHPMailer vulnerability.