Swift Mailer PwnScriptum Command Injection

Added: 01/17/2017
BID: 95140

Background

Swift Mailer is a component-based library used for sending email from PHP. It is used by many PHP programming frameworks, e.g., Yii2, Laraval, and Symfony.

Problem

Swift Mailer library mail transport (Swift_Transport_MailTransport) is vulnerable to command injection due to failure to properly sanitize the "From", "ReturnPath" and "Sender" headers.

Resolution

Upgrade to Swift Mailer 5.4.5 or higher.

References

http://pwnscriptum.com/
https://legalhackers.com/advisories/SwiftMailer-Exploit-Remote-Code-Exec-CVE-2016-10074-Vuln.html
https://www.exploit-db.com/exploits/40986/

Limitations

Exploit works on Swift Mailer before 5.4.5.

Exploit targets a common web application component: a contact form. The contact form action parameter value and field names must match the specified value/field names (e.g., send/name/email/msg).

There must be a web-user writable directory under the web application directory.
Back to exploit index