Aperçu
A critical remote code execution vulnerability exists in PHPMailer before version 5.2.18 that allows attackers to execute arbitrary code by exploiting improper parameter handling in the mail() function. The vulnerability arises from insufficient validation of the Sender email property, which can be exploited to inject additional parameters into the underlying mail command. This vulnerability became widely known as one of the most critical PHP email library vulnerabilities and affected millions of WordPress sites and other applications using the vulnerable PHPMailer library. La vulnérabilité a été divulguée le December 30, 2016. CISA a identifié CVE-2016-10033 comme étant exploitée mais n'est pas actuellement connue pour être utilisée dans des campagnes de rançongiciel.
Détails techniques
PHPMailer fails to properly validate and sanitize the Sender email property before passing it to the mail() function. By crafting a malicious Sender email address containing special characters (specifically backticks or other shell metacharacters depending on the mail transport mechanism), an attacker can inject additional parameters into the mail command. On systems using the sendmail-compatible mail transport agent (MTA), this allows injection of the -X parameter to log all traffic to a file, or more critically, the -C parameter to specify an alternate sendmail configuration file. This can lead to arbitrary code execution when combined with other techniques like writing to web-accessible directories.
La vulnérabilité est classifiée comme CWE-94 (Improper Control of Generation of Code ('Code Injection')) , CWE-78 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')) etCWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')) .
La vulnérabilité a reçu un score de base CVSS v3.1 de 9.8 (CRITICAL) avec la chaîne vectorielle CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indiquant sa nature critical.
Impact
An unauthenticated attacker can achieve arbitrary code execution on the affected server with the privileges of the web server user (typically www-data or apache). This allows complete compromise of the web application and potentially the underlying server. Attackers can read sensitive files, modify application data, install malware, pivot to other systems on the network, or take the application offline. Given the widespread use of PHPMailer in WordPress and other applications, this vulnerability affected millions of websites when first disclosed.
Mitigation et contournements
Update PHPMailer to version 5.2.18 or later. For WordPress users, update WordPress to the latest available version which includes the patched PHPMailer library. The fix involves proper escaping and validation of the Sender property before it is used in mail command parameters. Specifically, the vulnerability was fixed by validating email addresses to ensure they do not contain characters that could be interpreted as command separators or options by the underlying mail command. Les versions suivantes incluent les correctifs nécessaires : PHPMailer 5.2.18+, PHPMailer 6.0.0+, WordPress versions with updated PHPMailer.
Comme contournements temporaires : disable the mail() function on the server and use smtp instead. configure phpmailer to use smtp with authentication to an external mail server instead of relying on the local mail() function. this avoids the command injection vector entirely.; use php's open_basedir restriction to limit file access and prevent attackers from writing to web-accessible directories, reducing the attack surface even if command injection occurs.; implement web application firewall (waf) rules to detect and block requests containing typical exploitation payloads for this vulnerability, such as requests containing base64-encoded shell commands or suspicious mail parameters., et use selinux or apparmor security modules to restrict the capabilities of the web server process, preventing it from executing arbitrary commands even if the code injection occurs..
Recommandation de CISA : Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Ressources additionnelles
Source : Ce rapport a été généré par IA
