A critical vulnerability, tracked as CVE-2016-10033, affects PHPMailer, one of the most popular open source PHP libraries used to send emails. It has been estimated that more than 9 Million users worldwide leverages on this library.
Millions of websites using PHP and popular CMS, including WordPress, Drupal, and Joomla currently use the library for sending emails.
The CVE-2016-10033 affects all versions of the library before the PHPMailer 5.2.18 release.
The flaw was discovered by the notorious security expert Dawid Golunski from Legal Hackers, it could be exploited by a remote unauthenticated attacker to execute arbitrary code in the context of the web server and compromise the target web application.
“An independent research uncovered a critical vulnerability in PHPMailer that could potentially be used by (unauthenticated) remote attackers to achieve remote arbitrary code execution in the context of the web server user and remotely compromise the target web application.” Golunski explained in a security advisory.
“To exploit the vulnerability an attacker could target common website components such as contact/feedback forms, registration forms, password email resets and others that send out emails with the help of a vulnerable version of the PHPMailer class.”
The advisory provides a few details about the exploitation of the flaw to give users a chance to fix their PHPMailer class. The experts confirmed that the details of the CVE-2016-10033 vulnerability will be published shortly.
Golunski reported the flaw to the developers who have promptly fixed it in the PHPMailer 5.2.18 release.
The researcher also plans to include in the advisory a proof-of-concept exploit code and video PoC of the attack.
Administrators and developers must update to the patched release as soon as possible.
(Security Affairs – CVE-2016-10033, hacking)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.