PHPMailer Vulnerability

PHP (PHP: Hypertext Preprocessor) Logo
PHP (PHP: Hypertext Preprocessor) Logo

A new Remote Code Execution (RCE) vulnerability has been reported on Christmas but details were only recently released. PHPMailer has already issued a patch (though they are not 100% confident in it), and WordPress (which uses PHPMailer) is considering issuing a security patch for current versions as well.

The vulnerability allows the FROM address, when passed as a variable into into PHPMailer with escaped shell arguments, will be passed to the mail function and allows an attacker to put executable code into the root.’

Note that as of now there are no known working exploits for this. Also note that this exploit may not work on all systems due to different mail functions being used having different arguments available.

Also, as long as the email address passed to the FROM variable is more strictly validated (not allowing the escaped quotes and whitespace in email addresses), it is not an issue. Some feel that the strictness of not following the RFC exactly will prevent valid emails but many point out that it would only block VERY FEW valid emails and argue that the RFC should not allow such characters – most well-known email systems do not allow such characters anyway.

The code that I write always validates the email using the filter_var function (which is strict and prevents the issue from occuring). I checked Gravity Forms and they also use the filer_var function. I don’t know about JetPack. It is also likely that, if they have not already, CloudFlare and WP Engine will add an input filter for this.

If you are using a custom build of PHPMailer in any extensions/add-ons or external code is is HIGHLY RECOMMENDED that you upgrade to PHPMailer version 5.2.18 or newer which has escaping added to the FROM address.

1 Comment

Leave a Comment