7.5
CVSSv2

CVE-2016-10045

Published: 30/12/2016 Updated: 09/10/2018
CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
VMScore: 818
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Summary

The isMail transport in PHPMailer prior to 5.2.20 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code by leveraging improper interaction between the escapeshellarg function and internal escaping performed in the mail function in PHP. NOTE: this vulnerability exists because of an incorrect fix for CVE-2016-10033.

Vulnerability Trend

Affected Products

Vendor Product Versions
Phpmailer ProjectPhpmailer5.2.19

Vendor Advisories

Debian Bug report logs - #849365 libphp-phpmailer: CVE-2016-10033 Package: src:libphp-phpmailer; Maintainer for src:libphp-phpmailer is Debian PHP PEAR Maintainers <pkg-php-pear@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Mon, 26 Dec 2016 09:57:01 UTC Severity: grave Tags: se ...
Dawid Golunski discovered that PHPMailer, a popular library to send email from PHP applications, allowed a remote attacker to execute code if they were able to provide a crafted Sender address Note that for this issue also CVE-2016-10045 was assigned, which is a regression in the original patch proposed for CVE-2016-10033 Because the origial pa ...
It has been discovered that the first patch of the vulnerability CVE-2016-10033 in PHPMailer was incomplete and could potentially still be used by unauthenticated remote attackers to achieve remote arbitrary code execution in the context of the web server user and remotely compromise the target web application This issue can be triggered by passin ...
Debian Bug report logs - #852767 wordpress: 472 security release (CVE-2017-5610 CVE-2017-5611 CVE-2017-5612) Package: src:wordpress; Maintainer for src:wordpress is Craig Small <csmall@debianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Fri, 27 Jan 2017 06:18:01 UTC Severity: grave Tags: fixed- ...
Arch Linux Security Advisory ASA-201701-22 ========================================== Severity: High Date : 2017-01-15 CVE-ID : CVE-2016-10033 CVE-2016-10045 CVE-2017-5487 CVE-2017-5488 CVE-2017-5489 CVE-2017-5490 CVE-2017-5491 CVE-2017-5492 CVE-2017-5493 Package : wordpress Type : multiple issues Remote : Yes Link : ...

Exploits

#!/usr/bin/python intro = """ PHPMailer RCE PoC Exploits PHPMailer < 5218 Remote Code Execution PoC Exploit (CVE-2016-10033) + PHPMailer < 5220 Remote Code Execution PoC Exploit (CVE-2016-10045) (the bypass of the first patch for CVE-2016-10033) Discovered and Coded by: Dawid Golunski @dawid_golunski legalhackerscom """ u ...
#!/usr/bin/python # # Exploit Title: [RCE for PHPMailer < 5220 with Exim MTA] # Date: [16/06/2017] # Exploit Author: [@phackt_ul] # Software Link: [githubcom/PHPMailer/PHPMailer] # Version: [< 5220] # Tested on: [Debian x86/x64] # CVE : [CVE-2016-10033,CVE-2016-10074,CVE-2016-10034,CVE-2016-10045] # # @phackt_ul - phackt ...
#!/usr/bin/python intro = """\033[94m __ __ __ __ __ / / ___ ____ _____ _/ / / / / /___ ______/ /_____ __________ / / / _ \/ __ `/ __ `/ / / /_/ / __ `/ ___/ //_/ _ \/ ___/ ___/ / /___/ __/ /_/ / /_/ / / / __ / /_/ / /__/ ,< / __/ / (__ ) /_____/\___/\__, /\__,_/_/ /_/ ...

Mailing Lists

PHPMailer versions prior to 5220 zero day remote code execution exploit This bypasses the CVE-2016-10033 patch ...
SmartJobBoard version 509 suffers from cross site scripting and information disclosure vulnerabilities ...
WordPress (core) 46 suffers from an unauthenticated remote code execution condition via an exploitable version of PHPMailer built-in to WordPress code Exploitation details provided ...
This proof of concept exploit aims to execute a reverse shell on the target in the context of the web server user via a vulnerable PHP email library ...
SquirrelMail versions 1422 and below suffer from a remote code execution vulnerability ...

Metasploit Modules

PHPMailer Sendmail Argument Injection

PHPMailer versions up to and including 5.2.19 are affected by a vulnerability which can be leveraged by an attacker to write a file with partially controlled contents to an arbitrary location through injection of arguments that are passed to the sendmail binary. This module writes a payload to the web root of the webserver before then executing it with an HTTP request. The user running PHPMailer must have write access to the specified WEB_ROOT directory and successful exploitation can take a few minutes.

msf > use exploit/multi/http/phpmailer_arg_injection
      msf exploit(phpmailer_arg_injection) > show targets
            ...targets...
      msf exploit(phpmailer_arg_injection) > set TARGET <target-id>
      msf exploit(phpmailer_arg_injection) > show options
            ...show and set options...
      msf exploit(phpmailer_arg_injection) > exploit

Github Repositories

safeshell Prevent PHP vulnerabilities similar to CVE-2016-10033 and CVE-2016-10045

PHPMailer - A full-featured email creation and transfer class for PHP Build status: Class Features Probably the world's most popular code for sending email from PHP! Used by many open-source projects: WordPress, Drupal, 1CRM, SugarCRM, Yii, Joomla! and many more Integrated SMTP support - send without a local mail server Send emails with multiple To, CC, BCC and Rep

PHPMailer - A full-featured email creation and transfer class for PHP Build status: Class Features Probably the world's most popular code for sending email from PHP! Used by many open-source projects: WordPress, Drupal, 1CRM, SugarCRM, Yii, Joomla! and many more Integrated SMTP support - send without a local mail server Send emails with multiple To, CC, BCC and Rep

PHPMailer - A full-featured email creation and transfer class for PHP Build status: Class Features Probably the world's most popular code for sending email from PHP! Used by many open-source projects: WordPress, Drupal, 1CRM, SugarCRM, Yii, Joomla! and many more Integrated SMTP support - send without a local mail server Send emails with multiple To, CC, BCC and Rep

PHPMailer - A full-featured email creation and transfer class for PHP Build status: Class Features Probably the world's most popular code for sending email from PHP! Used by many open-source projects: WordPress, Drupal, 1CRM, SugarCRM, Yii, Joomla! and many more Integrated SMTP support - send without a local mail server Send emails with multiple To, CC, BCC and Rep

PHPMailer - A full-featured email creation and transfer class for PHP Build status: Class Features Probably the world's most popular code for sending email from PHP! Used by many open-source projects: WordPress, Drupal, 1CRM, SugarCRM, Yii, Joomla! and many more Integrated SMTP support - send without a local mail server Send emails with multiple To, CC, BCC and Rep

PHPMailer - A full-featured email creation and transfer class for PHP Build status: Class Features Probably the world's most popular code for sending email from PHP! Used by many open-source projects: WordPress, Drupal, 1CRM, SugarCRM, Yii, Joomla! and many more Integrated SMTP support - send without a local mail server Send emails with multiple To, CC, BCC and Rep

PHPMailer - A full-featured email creation and transfer class for PHP Build status: Class Features Probably the world's most popular code for sending email from PHP! Used by many open-source projects: WordPress, Drupal, 1CRM, SugarCRM, Yii, Joomla! and many more Integrated SMTP support - send without a local mail server Send emails with multiple To, CC, BCC and Rep

PHPMailer - A full-featured email creation and transfer class for PHP Build status: Class Features Probably the world's most popular code for sending email from PHP! Used by many open-source projects: WordPress, Drupal, 1CRM, SugarCRM, Yii, Joomla! and many more Integrated SMTP support - send without a local mail server Send emails with multiple To, CC, BCC and Rep

PHPMailer / Zend-mail / SwiftMailer - Remote Code Execution Exploit aka "PwnScriptum" CVE-2016-10033 + CVE-2016-10045 + CVE-2016-10034 + CVE-2016-10074 This PoC exploit aims to execute a reverse shell on the target in the context of the web-server user via vulnerable PHP email library Discovered and Coded by: \033[1;34m Dawid Golunski legalhackerscom t: @d

Xem thêm các dự án viết bằng yii framework Kho hàng US - Dịch vụ đặt hàng Mỹ số 1 Việt Nam Mỹ phẩm cao cấp Hàn Quốc Amaranth - Sorabee - Bello Vita Chia sẻ kinh nghiệm lập trình php - vps - hosting Chia sẻ coupon khuyến mãi từ các trang thương mại điện tử hàng đ

PHPMailer - A full-featured email creation and transfer class for PHP Build status: Class Features Probably the world's most popular code for sending email from PHP! Used by many open-source projects: WordPress, Drupal, 1CRM, SugarCRM, Yii, Joomla! and many more Integrated SMTP support - send without a local mail server Send emails with multiple To, CC, BCC and Rep

PHPMailer - A full-featured email creation and transfer class for PHP Build status: Class Features Probably the world's most popular code for sending email from PHP! Used by many open-source projects: WordPress, Drupal, 1CRM, SugarCRM, Yii, Joomla! and many more Integrated SMTP support - send without a local mail server Send emails with multiple To, CC, BCC and Rep

PHPMailer - A full-featured email creation and transfer class for PHP Build status: Class Features Probably the world's most popular code for sending email from PHP! Used by many open-source projects: WordPress, Drupal, 1CRM, SugarCRM, Yii, Joomla! and many more Integrated SMTP support - send without a local mail server Send emails with multiple To, CC, BCC and Rep

PHPMailer - A full-featured email creation and transfer class for PHP Build status: Class Features Probably the world's most popular code for sending email from PHP! Used by many open-source projects: WordPress, Drupal, 1CRM, SugarCRM, Yii, Joomla! and many more Integrated SMTP support - send without a local mail server Send emails with multiple To, CC, BCC and Rep

PHPMailer - A full-featured email creation and transfer class for PHP Build status: Class Features Probably the world's most popular code for sending email from PHP! Used by many open-source projects: WordPress, Drupal, 1CRM, SugarCRM, Yii, Joomla! and many more Integrated SMTP support - send without a local mail server Send emails with multiple To, CC, BCC and Rep

PHPMailer - A full-featured email creation and transfer class for PHP Build status: Class Features Probably the world's most popular code for sending email from PHP! Used by many open-source projects: WordPress, Drupal, 1CRM, SugarCRM, Yii, Joomla! and many more Integrated SMTP support - send without a local mail server Send emails with multiple To, CC, BCC and Rep

PHPMailer - A full-featured email creation and transfer class for PHP Build status: Class Features Probably the world's most popular code for sending email from PHP! Used by many open-source projects: WordPress, Drupal, 1CRM, SugarCRM, Yii, Joomla! and many more Integrated SMTP support - send without a local mail server Send emails with multiple To, CC, BCC and Rep

PHPMailer - A full-featured email creation and transfer class for PHP Build status: Class Features Probably the world's most popular code for sending email from PHP! Used by many open-source projects: WordPress, Drupal, 1CRM, SugarCRM, Yii, Joomla! and many more Integrated SMTP support - send without a local mail server Send emails with multiple To, CC, BCC and Rep

PHPMailer - A full-featured email creation and transfer class for PHP Build status: Class Features Probably the world's most popular code for sending email from PHP! Used by many open-source projects: WordPress, Drupal, 1CRM, SugarCRM, Yii, Joomla! and many more Integrated SMTP support - send without a local mail server Send emails with multiple To, CC, BCC and Rep

PHPMailer - A full-featured email creation and transfer class for PHP Build status: Class Features Probably the world's most popular code for sending email from PHP! Used by many open-source projects: WordPress, Drupal, 1CRM, SugarCRM, Yii, Joomla! and many more Integrated SMTP support - send without a local mail server Send emails with multiple To, CC, BCC and Rep

PHPMailer - A full-featured email creation and transfer class for PHP Build status: Class Features Probably the world's most popular code for sending email from PHP! Used by many open-source projects: WordPress, Drupal, 1CRM, SugarCRM, Yii, Joomla! and many more Integrated SMTP support - send without a local mail server Send emails with multiple To, CC, BCC and Rep

PHPMailer - A full-featured email creation and transfer class for PHP Build status: Class Features Probably the world's most popular code for sending email from PHP! Used by many open-source projects: WordPress, Drupal, 1CRM, SugarCRM, Yii, Joomla! and many more Integrated SMTP support - send without a local mail server Send emails with multiple To, CC, BCC and Rep

PHPMailer - A full-featured email creation and transfer class for PHP Build status: Class Features Probably the world's most popular code for sending email from PHP! Used by many open-source projects: WordPress, Drupal, 1CRM, SugarCRM, Yii, Joomla! and many more Integrated SMTP support - send without a local mail server Send emails with multiple To, CC, BCC and Rep

PHPMailer - A full-featured email creation and transfer class for PHP Build status: Class Features Probably the world's most popular code for sending email from PHP! Used by many open-source projects: WordPress, Drupal, 1CRM, SugarCRM, Yii, Joomla! and many more Integrated SMTP support - send without a local mail server Send emails with multiple To, CC, BCC and Rep

PHPMailer - A full-featured email creation and transfer class for PHP Build status: Class Features Probably the world's most popular code for sending email from PHP! Used by many open-source projects: WordPress, Drupal, 1CRM, SugarCRM, Yii, Joomla! and many more Integrated SMTP support - send without a local mail server Send emails with multiple To, CC, BCC and Rep

PHPMailer - A full-featured email creation and transfer class for PHP Build status: Class Features Probably the world's most popular code for sending email from PHP! Used by many open-source projects: WordPress, Drupal, 1CRM, SugarCRM, Yii, Joomla! and many more Integrated SMTP support - send without a local mail server Send emails with multiple To, CC, BCC and Rep

Para buildar os dockers: $ sudo docker build -t ep4/5217 troque 5217 por 18 e 20 para rodar os dockers: $ sudo docker run -p 7001:80 ep4/5217 troque por 7001/7002/7003 e 5217/18/20 nas respectivas pastas

PHPMailer - A full-featured email creation and transfer class for PHP Build status: Class Features Probably the world's most popular code for sending email from PHP! Used by many open-source projects: WordPress, Drupal, 1CRM, SugarCRM, Yii, Joomla! and many more Integrated SMTP support - send without a local mail server Send emails with multiple To, CC, BCC and Rep

PHPMailer - A full-featured email creation and transfer class for PHP Build status: Class Features Probably the world's most popular code for sending email from PHP! Used by many open-source projects: WordPress, Drupal, 1CRM, SugarCRM, Yii, Joomla! and many more Integrated SMTP support - send without a local mail server Send emails with multiple To, CC, BCC and Rep

PHPMailer - A full-featured email creation and transfer class for PHP Build status: Class Features Probably the world's most popular code for sending email from PHP! Used by many open-source projects: WordPress, Drupal, 1CRM, SugarCRM, Yii, Joomla! and many more Integrated SMTP support - send without a local mail server Send emails with multiple To, CC, BCC and Rep

PHPMailer - A full-featured email creation and transfer class for PHP Build status: Class Features Probably the world's most popular code for sending email from PHP! Used by many open-source projects: WordPress, Drupal, 1CRM, SugarCRM, Yii, Joomla! and many more Integrated SMTP support - send without a local mail server Send emails with multiple To, CC, BCC and Rep

Xem thêm các dự án viết bằng yii framework Kho hàng US - Dịch vụ đặt hàng Mỹ số 1 Việt Nam Mỹ phẩm cao cấp Hàn Quốc Amaranth - Sorabee - Bello Vita Chia sẻ kinh nghiệm lập trình php - vps - hosting Chia sẻ coupon khuyến mãi từ các trang thương mại điện tử hàng đ

PHPMailer - A full-featured email creation and transfer class for PHP Build status: Class Features Probably the world's most popular code for sending email from PHP! Used by many open-source projects: WordPress, Drupal, 1CRM, SugarCRM, Yii, Joomla! and many more Integrated SMTP support - send without a local mail server Send emails with multiple To, CC, BCC and Rep

Recent Articles

PHPMailer, SwiftMailer Updates Resolve Critical Remote Code Execution Vulnerabilities
Threatpost • Chris Brook • 29 Dec 2016

Critical remote code execution vulnerabilities in two different libraries used to send emails via PHP were patched this week.
An issue in PHPMailer, thought fixed, was resolved with an update, version 5.2.21, pushed late Wednesday. Developers with another mailing library for PHP, SwiftMailer, remedied a similar issue that could have also led to remote code execution on Thursday.

Both bugs were disclosed this week by researcher Dawid Golunski of Legal Hackers.
An attac...

PHPMailer Bug Leaves Millions of Websites Open to Attack
Threatpost • Tom Spring • 27 Dec 2016

UPDATE
A critical PHPMailer bug tied to the way websites handle email and feedback forms is leaving millions of websites hosted on popular web-publishing platforms such as WordPress, Drupal and Joomla open to attack.
The flaw was disclosed by researcher Dawid Golunski of Legal Hackers, who said the vulnerability could be used by an unauthenticated remote attackers to achieve remote arbitrary code execution in the context of a web server and could be used to remotely compromise target...