Phpmailer: CVE-2016-10045: Critical RCE vulnerability introduced in 5.2.18

Created on 28 Dec 2016  路  7Comments  路  Source: PHPMailer/PHPMailer

A critical RCE vulnerability has been introduced by the patch for CVE-2016-10033. Please contact me at [email protected] for more details. PGP: https://keybase.io/zenexer

Most helpful comment

Unfortunately using user-submitted addresses as a from address (and thus as a sender address) is a very common pattern I've battling against for years on StackOverflow and here...

All 7 comments

@cnizzdotcom Confirmed, that's the same vulnerability. At the time, I didn't know there was a CVE for it. Editing title to match.

@Zenexer thanks, trying to get this exploit working locally, nadda yet.

Can confirm both CVE-2016-10033 and CVE-2016-10045 are exploitable. 10045 takes a little more thought. Both require that the attacker have control over the sender address, which is unadvisable anyway. Just because a CRM uses PHPMailer doesn't mean that it's vulnerable. Contact forms are likely to be the most susceptible because they're often poorly designed.

Unfortunately using user-submitted addresses as a from address (and thus as a sender address) is a very common pattern I've battling against for years on StackOverflow and here...

Sadly, that practice is likely to outlive all of us.

I've written a technical analysis of the underlying issues behind CVE-2016-10033 and CVE-2016-10045: https://gist.github.com/Zenexer/40d02da5e07f151adeaeeaa11af9ab36

Was this page helpful?
0 / 5 - 0 ratings