[3.5] phpmailer: Remote Code Execution (CVE-2016-10033, CVE-2016-10045)
The mailSend function in the isMail transport in PHPMailer before
5.2.18, when the Sender property is not set,
might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary
code via a \" (backslash double quote) in a crafted From address.
Fixed In Version:
The isMail transport in PHPMailer before 5.2.20, when the Sender
property is not set, might allow remote attackers to pass extra
to the mail command and consequently execute arbitrary code by leveraging improper interaction between the escapeshellarg function and
internal escaping performed in the mail function. NOTE: this vulnerability exists because of an incorrect fix for CVE-2016-10033.
Fixed in Version:
(from redmine: issue id 6623, created on 2017-01-04, closed on 2017-01-23)
- parent #6622 (closed)
- Revision 66935a2a by Sergei Lukin on 2017-01-12T07:56:56Z:
main/php5-phpmailer: security fixes #6623 CVE-2016-10033 CVE-2016-10045 Issues were fixed in 5.2.18 and 5.2.20 However, there were major changes between 5.2.4 and 5.2.20 https://github.com/PHPMailer/PHPMailer/blob/master/changelog.md This upgrade contains patch which is based on 2 commits containing fix for CVE-2016-10045 and CVE-2016-10033: https://github.com/PHPMailer/PHPMailer/commit/9743ff5c7ee16e8d49187bd2e11149afb9485eae https://github.com/PHPMailer/PHPMailer/commit/833c35fe39715c3d01934508987e97af1fbc1ba0 Commits were adjusted to 5.2.4