A surveiller: PHPMailer
BMPCreated with Sketch.BMPZIPCreated with Sketch.ZIPXLSCreated with Sketch.XLSTXTCreated with Sketch.TXTPPTCreated with Sketch.PPTPNGCreated with Sketch.PNGPDFCreated with Sketch.PDFJPGCreated with Sketch.JPGGIFCreated with Sketch.GIFDOCCreated with Sketch.DOC Error Created with Sketch.
Question

A surveiller: PHPMailer
by
fritz2cat officiel (d'avant la migration)
Newbie
Created on 2016-10-20 12:08:26 (edited on 2024-09-04 11:59:59) in Hébergements Web

Bonjour,

Une vulnérabilité grave a été détectée dans PHPMailer.
Ce composant se trouve dans beaucoup de packages, tels Joomla, Wordpress, Zenphoto, etc.
Jusqu'à aujourd'hui il semble bien bien que pour pouvoir abuser PHPMailer (et donc pirater un site web) on doive pouvoir modifier l'adresse d'expédition des mails, ce qui est rarement le cas dans les CMS.

Il ne faut donc pas tomber dans la paranoia de pré-nouvel-an, mais bien garder un oeil là-dessus.

> From: Dawid Golunski

> PHPMailer < 5.2.20 Remote Code Execution PoC 0day Exploit
> (CVE-2016-10045) (Bypass of the CVE-2016-1033 patch)

> Discovered by Dawid Golunski (@dawid_golunski)
> https://legalhackers.com

> Desc:
> I discovered that the current PHPMailer versions (< 5.2.20) were still
> vulnerable to RCE as it is possible to bypass the currently available
> patch.

> This was reported responsibly to the vendor & assigned a CVEID on the
> 26th of December.
> The vendor has been working on a new patch which would fix the problem but
> not break the RFC too badly. The patch should be published very soon.

> I'm releasing this as a 0day without the new patch available publicly
> as a potential bypass was publicly discussed on oss-sec list with Solar
> Designer in the PHPMailer < 5.2.18 thread, so holding the advisory
> further would serve no purpose.


> Current advisory URL:

> https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html

> PoC exploit URL:
> https://legalhackers.com/exploits/CVE-2016-10045/PHPMailer_RCE_exploit.pl

> More updates soon at:

> https://twitter.com/dawid_golunski


> Stay tuned.

> --
> Regards,
> Dawid Golunski
> https://legalhackers.com
> t: @dawid_golunski
Upvotes (1)
924 Views
1 Reply ( Latest reply on 2016-12-30 11:13:39 by
JohnH
)
CDU

Salut,

Merci pour l'info. Apparemment, même s'il utilise PHPMailer, Wordpress ne serait pas vulnérable : https://wordpress.org/support/topic/critical-phpmailer-flaw/#post-8593854
Helpful (0)
V

Merci pour cette remontée @Fritz2cat ! Vu son importance, je me permet de la relayer sur la mailing list @web.

Joyeuses fêtes de fin d'années,
Vincent
Helpful (0)
J

Pour information, selon le mainteneur de PHPMailer, c'est uniquement les implémentations utilisant la fonction `mail()` de PHP qui sont vulnérables. L'envoi par SMTP - `isSMTP()` - n'est pas à risque :
> _You are also safe if you're using PHPMailer's SMTP transport (i.e. you call $mail->isSMTP() in your code), as that transport does not execute shell commands._
https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities PHPMailer wiki (en anglais)

Il vaut mieux le mettre à jour, bien sûr. La version actuelle est 5.2.21

Joyeuses fêtes à tous !
Helpful (0)

Join discussion