Influenza A virus subtype H5N1 safety researcher late reported a critical vulnerability inwards i of the virtually pop opened upwards beginning PHP libraries used to send emails that allowed a remote assailant to execute arbitrary code inwards the context of the spider web server as well as compromise a spider web application.
Disclosed yesteryear Polish safety researcher CVE-2016-10033) inwards PHPMailer used yesteryear to a greater extent than than ix Million users worldwide was idea to survive fixed alongside the loose of version 5.2.18.
However, Golunski managed to bypass the patched version of PHPMailer that was given a novel CVE (CVE-2016-10045), which i time once to a greater extent than position millions of websites as well as pop opened upwards beginning spider web apps, including WordPress, Drupal, 1CRM, SugarCRM, Yii, as well as Joomla, at run a jeopardy of remote code execution attack.
PHPMailer eventually fixed the number alongside an update, version 5.2.20. All versions of PHPMailer earlier this critical loose are affected, hence spider web administrators as well as developers are strongly recommended to update to the novel version.
In add-on to this bug, Golunski too reported a similar vulnerability inwards 2 other mailing libraries for PHP, SwiftMailer, as well as ZendMail, that could convey too led to remote code execution attack.
SwiftMailer is too a pop PHP library used yesteryear many major open-source projects, including top PHP programming frameworks similar Yii2, Laravel, Symfony for sending emails over SMTP.
The vulnerability (CVE-2016-10074) inwards SwiftMailer tin survive exploited inwards the same mode every bit the PHPMailer vulnerability yesteryear targeting spider web site components that purpose SwiftMailer class, such every bit contact/registration forms, password e-mail reset forms, as well as hence forth.
Attackers tin execute arbitrary code remotely inwards the context of the spider web server, which could farther survive exploited to access a spider web server hosting a spider web application that used a vulnerable version of the library.
The SwiftMailer vulnerability affects all versions of the library, including the then-current release, version 5.4.5-DEV.
Golunski disclosed the vulnerability to SwiftMailer team, as well as developers acted fast to ready the issue, rolling out patched version 5.4.5 inside a day.
"The post service carry (Swift_Transport_MailTransport) was vulnerable to passing arbitrary vanquish arguments if the "From," "ReturnPath" or "Sender" header came from a non-trusted source, potentially allowing Remote Code Execution," reads the changelog for SwiftMailer on GitHub.
The critical vulnerability (CVE-2016-10034) inwards ZendMail tin too survive exploited inwards the same mode every bit i discovered inwards PHPMailer as well as SwiftMailer yesteryear targeting spider web site components that purpose ZendMail, similar contact/registration forms, password e-mail reset forms, as well as hence on.
Attackers could accomplish remote code execution inwards the context of the spider web server as well as could remotely compromise the target spider web application that used the vulnerable version of the ZendMail.
The researcher reported the number to ZendMail, as well as the developers fixed the vulnerability as well as rolled out the patched version.
Golunski has too released a 3-in-1 exploit, nicknamed white-paper alongside previously unknown exploitation vectors as well as techniques that tin survive used to exploit all the 3 vulnerabilities.
Disclosed yesteryear Polish safety researcher CVE-2016-10033) inwards PHPMailer used yesteryear to a greater extent than than ix Million users worldwide was idea to survive fixed alongside the loose of version 5.2.18.
However, Golunski managed to bypass the patched version of PHPMailer that was given a novel CVE (CVE-2016-10045), which i time once to a greater extent than position millions of websites as well as pop opened upwards beginning spider web apps, including WordPress, Drupal, 1CRM, SugarCRM, Yii, as well as Joomla, at run a jeopardy of remote code execution attack.
PHPMailer eventually fixed the number alongside an update, version 5.2.20. All versions of PHPMailer earlier this critical loose are affected, hence spider web administrators as well as developers are strongly recommended to update to the novel version.
In add-on to this bug, Golunski too reported a similar vulnerability inwards 2 other mailing libraries for PHP, SwiftMailer, as well as ZendMail, that could convey too led to remote code execution attack.
RCE Flaw inwards SwiftMailer
SwiftMailer is too a pop PHP library used yesteryear many major open-source projects, including top PHP programming frameworks similar Yii2, Laravel, Symfony for sending emails over SMTP.
The vulnerability (CVE-2016-10074) inwards SwiftMailer tin survive exploited inwards the same mode every bit the PHPMailer vulnerability yesteryear targeting spider web site components that purpose SwiftMailer class, such every bit contact/registration forms, password e-mail reset forms, as well as hence forth.
Attackers tin execute arbitrary code remotely inwards the context of the spider web server, which could farther survive exploited to access a spider web server hosting a spider web application that used a vulnerable version of the library.
The SwiftMailer vulnerability affects all versions of the library, including the then-current release, version 5.4.5-DEV.
Golunski disclosed the vulnerability to SwiftMailer team, as well as developers acted fast to ready the issue, rolling out patched version 5.4.5 inside a day.
"The post service carry (Swift_Transport_MailTransport) was vulnerable to passing arbitrary vanquish arguments if the "From," "ReturnPath" or "Sender" header came from a non-trusted source, potentially allowing Remote Code Execution," reads the changelog for SwiftMailer on GitHub.
RCE Flaw inwards ZendMail
ZendMail is a element of a real pop PHP programming framework Zend Framework alongside to a greater extent than than 95 Million installations.The critical vulnerability (CVE-2016-10034) inwards ZendMail tin too survive exploited inwards the same mode every bit i discovered inwards PHPMailer as well as SwiftMailer yesteryear targeting spider web site components that purpose ZendMail, similar contact/registration forms, password e-mail reset forms, as well as hence on.
Attackers could accomplish remote code execution inwards the context of the spider web server as well as could remotely compromise the target spider web application that used the vulnerable version of the ZendMail.
The researcher reported the number to ZendMail, as well as the developers fixed the vulnerability as well as rolled out the patched version.
"When using the zend-mail element to send e-mail via the Zend\Mail\Transport\Sendmail transport, a malicious user may survive able to inject arbitrary parameters to the organisation sendmail program," ZendMail wrote inwards a blog post.
"The laid on is performed yesteryear providing additional quote characters inside an address; when unsanitized, they tin survive interpreted every bit additional ascendancy trouble arguments, leading to the vulnerability."Golunski has released a proof-of-concept video demonstration that volition exhibit all the 3 attacks inwards action.