A critical vulnerability, tracked as CVE-2016-10033, affects PHPMailer, one of the most popular open source PHP libraries used to send emails. It has been estimated that more than 9 Million users worldwide leverages on this library.
Millions of websites using PHP and popular CMS, including WordPress, Drupal, and Joomla currently use the library for sending emails.
The CVE-2016-10033 affects all versions of the library before the PHPMailer 5.2.18 release.
The flaw was discovered by the notorious security expert Dawid Golunski from Legal Hackers, it could be exploited by a remote unauthenticated attacker to execute arbitrary code in the context of the web server and compromise the target web application.
“An independent research uncovered a critical vulnerability in PHPMailer that could potentially be used by (unauthenticated) remote attackers to achieve remote arbitrary code execution in the context of the web server user and remotely compromise the target web application.” Golunski explained in a security advisory.
“To exploit the vulnerability an attacker could target common website components such as contact/feedback forms, registration forms, password email resets and others that send out emails with the help of a vulnerable version of the PHPMailer class.”
The advisory provides a few details about the exploitation of the flaw to give users a chance to fix their PHPMailer class. The experts confirmed that the details of the CVE-2016-10033 vulnerability will be published shortly.
Golunski reported the flaw to the developers who have promptly fixed it in the PHPMailer 5.2.18 release.
The researcher also plans to include in the advisory a proof-of-concept exploit code and video PoC of the attack.
Administrators and developers must update to the patched release as soon as possible.
(Security Affairs – CVE-2016-10033, hacking)