A critical RCE vulnerability has been introduced by the patch for CVE-2016-10033. Please contact me at [email protected] for more details. PGP: https://keybase.io/zenexer
More than this: https://news.ycombinator.com/item?id=13268692
@cnizzdotcom Confirmed, that's the same vulnerability. At the time, I didn't know there was a CVE for it. Editing title to match.
@Zenexer thanks, trying to get this exploit working locally, nadda yet.
Can confirm both CVE-2016-10033 and CVE-2016-10045 are exploitable. 10045 takes a little more thought. Both require that the attacker have control over the sender address, which is unadvisable anyway. Just because a CRM uses PHPMailer doesn't mean that it's vulnerable. Contact forms are likely to be the most susceptible because they're often poorly designed.
Unfortunately using user-submitted addresses as a from address (and thus as a sender address) is a very common pattern I've battling against for years on StackOverflow and here...
Sadly, that practice is likely to outlive all of us.
I've written a technical analysis of the underlying issues behind CVE-2016-10033 and CVE-2016-10045: https://gist.github.com/Zenexer/40d02da5e07f151adeaeeaa11af9ab36
Most helpful comment
Unfortunately using user-submitted addresses as a from address (and thus as a sender address) is a very common pattern I've battling against for years on StackOverflow and here...