PHPMailer, one of the most used classes for sending emails from within PHP, has a serious vulnerability in versions less than 5.2.18 (current version). The security researcher [Dawid Golunski] just published a limited advisory stating that PHPMailer suffers from a critical flaw that might lead an attacker to achieve remote code execution in the context of the web server user. PHPMailer is used by several open-source projects, among them are: WordPress, Drupal, 1CRM, SugarCRM, Yii and Joomla. A fix has been issued and PHPMailer is urging all users to upgrade their systems.

To trigger this vulnerability (CVE-2016-10033) it seems that the attacker only has to make the web application send out an email using the vulnerable PHPMailer class. Depending on the application itself, this can be accomplished in different ways, such as contact/feedback forms, registration forms, password email resets and so on.

Upon a quick diff analysis, we found that the vulnerable code seems to lie in the following lines of the class.phpmailer.php:

Version 5.2.17

if (!empty($this->Sender)) {
  $params = sprintf('-f%s', $this->Sender);
}
if ($this->Sender != '' and !ini_get('safe_mode')) {
  $old_from = ini_get('sendmail_from');
  ini_set('sendmail_from', $this->Sender);
}

Version 5.2.18

if (!empty($this->Sender) and $this->validateAddress($this->Sender)) {
  $params = sprintf('-f%s', escapeshellarg($this->Sender));
}
if (!empty($this->Sender) and !ini_get('safe_mode') and $this->validateAddress($this->Sender)) {
  $old_from = ini_get('sendmail_from');
  ini_set('sendmail_from', $this->Sender);
}

From the code above we can get an idea where the bug comes from. The researcher [Dawid Golunski] claims to have developed a working Remote Code Execution (RCE) Proof of Concept (PoC) exploit and that he will publish it at a later date, in order to give users time to upgrade their systems.

So… sysadmins, what are you waiting for? Go and upgrade, if Santa does not sleep neither should you…