CVE-2016-10033 Scanner
Detects 'Remote Code Execution (RCE)' vulnerability in isMail transport in PHPMailer affects v. before 5.2.18.
Short Info
Level
Critical
Single Scan
Single Scan
Can be used by
Asset Owner
Estimated Time
15 seconds
Time Interval
29 days
Scan only one
Domain, IPv4
Toolbox
-
PHPMailer is a popular email-sending library written in PHP. It provides a comprehensive suite of features, including the ability to send emails through the isMail transport. The isMail transport uses the mail() function provided by the operating system to send email. This function sends email through an SMTP server configured on the system, or alternatively, by directly invoking the sendmail program.
CVE-2016-10033 is a vulnerability in the isMail transport in PHPMailer before version 5.2.18. This vulnerability allows an attacker to execute arbitrary code on the target machine by passing extra parameters to the mail command. Specifically, an attacker can inject a backslash double quote (\") character in a crafted sender property, which may not be escaped correctly, causing the mail function to interpret the following payload as a command to execute.
Exploiting this vulnerability can lead to a wide range of consequences depending on the context of the target system. In the most severe case, an attacker can gain complete control over the target system and execute arbitrary commands with the privileges of the web server user. This can result in data loss, service interruption, or even the complete takeover of the system.
Thanks to the pro features of the s4e.io platform, readers of this article can easily and quickly learn about vulnerabilities in their digital assets. With the platform's comprehensive scanning and reporting capabilities, users can identify vulnerabilities before they are exploited by attackers. Moreover, the platform provides actionable recommendations to help users mitigate the risks of these vulnerabilities and strengthen their overall security posture.
REFERENCES
- http://packetstormsecurity.com/files/140291/PHPMailer-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/140350/PHPMailer-Sendmail-Argument-Injection.html
- http://seclists.org/fulldisclosure/2016/Dec/78
- http://www.rapid7.com/db/modules/exploit/multi/http/phpmailer_arg_injection
- http://www.securityfocus.com/archive/1/539963/100/0/threaded
- http://www.securityfocus.com/bid/95108
- http://www.securitytracker.com/id/1037533
- https://developer.joomla.org/security-centre/668-20161205-phpmailer-security-advisory.html
- https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.18
- https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities
- https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html
- https://www.drupal.org/psa-2016-004
- https://www.exploit-db.com/exploits/40968/
- https://www.exploit-db.com/exploits/40969/
- https://www.exploit-db.com/exploits/40970/
- https://www.exploit-db.com/exploits/40974/
- https://www.exploit-db.com/exploits/40986/
- https://www.exploit-db.com/exploits/41962/
- https://www.exploit-db.com/exploits/41996/
- https://www.exploit-db.com/exploits/42024/
- https://www.exploit-db.com/exploits/42221/