[3.4] phpmailer: Remote Code Execution (CVE-2016-10033, CVE-2016-10045)
CVE-2016-10033:
The mailSend function in the isMail transport in PHPMailer before
5.2.18, when the Sender property is not set,
might allow remote attackers to pass extra parameters to the mail
command and consequently execute arbitrary
code via a \" (backslash double quote) in a crafted From address.
Fixed In Version:
phpmailer 5.2.18
Reference:
http://seclists.org/oss-sec/2016/q4/750
CVE-2016-10045:
The isMail transport in PHPMailer before 5.2.20, when the Sender
property is not set, might allow remote attackers to pass extra
parameters
to the mail command and consequently execute arbitrary code by
leveraging improper interaction between the escapeshellarg function
and
internal escaping performed in the mail function. NOTE: this
vulnerability exists because of an incorrect fix for CVE-2016-10033.
Fixed in Version:
phpmailer 5.2.20
Reference:
(from redmine: issue id 6624, created on 2017-01-04, closed on 2017-01-23)
- Relations:
- parent #6622 (closed)
- Changesets:
- Revision 83e615d8 by Sergei Lukin on 2017-01-13T09:44:21Z:
main/php5-phpmailer: security upgrade to 5.2.4 - fixes #6624
CVE-2016-10033
CVE-2016-10045
Issues were fixed in 5.2.18 and 5.2.20
However, there were major changes between 5.2.0 and 5.2.20
https://github.com/PHPMailer/PHPMailer/blob/master/changelog.md
5.2.0 is NOT AVAILABLE anymore for download
Next available version is 5.2.4
https://github.com/PHPMailer/PHPMailer/releases?after=v5.2.5
(not sure if there were major changes between 5.2.0 and 5.2.4)
This upgrade contains patch which is based on 2 commits
containing fix for CVE-2016-10045 and CVE-2016-10033:
https://github.com/PHPMailer/PHPMailer/commit/9743ff5c7ee16e8d49187bd2e11149afb9485eae
https://github.com/PHPMailer/PHPMailer/commit/833c35fe39715c3d01934508987e97af1fbc1ba0
These commits were adjusted to 5.2.4