PHPMailer PwnScriptum Remote Code Execution

Added: 01/05/2017
BID: 95108

Background

PHPMailer is a PHP class used for sending email from PHP. It is used by many open-source projects, e.g., WordPress, Drupal, and Joomla.

Problem

PHPMailer class mailSend() function is vulnerable to command injection due to failure to properly sanitize the destination email address.

Resolution

Upgrade to PHPMailer 5.2.20 or higher.

References

http://pwnscriptum.com/
https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html
https://www.exploit-db.com/exploits/40986/

Limitations

Exploit works on PHPMailer before 5.2.18.

Exploit targets a common web application component: a contact form. The contact form action parameter value and field names must match the specified value/field names (e.g., send/name/email/msg).

There must be a web-user writable directory under the web application directory.
Back to exploit index