J-Security Center

Title: PHPMailer Remote Shell Command Execution Vulnerability

Severity: CRITICAL

Description:

PHPMailer is a utility class used in PHP applications to support emails sent through sendmail, PHP mailto(), or SMTP.

PHPMailer is prone to a vulnerability that allows arbitrary shell commands to run because the software fails to adequately escape user-supplied input.

Specifically, the vulnerability resides in the 'SendmailSend' function of the 'class.phpmailer.php' script. The software fails to properly sanitize the 'sender' parameter before using it in a 'popen()' PHP call.

An attacker may leverage this issue to execute arbitrary shell commands on an affected computer with the privileges of the application using the affected class utility.

PHPMailer 1.73 and prior versions are vulnerable to this issue.

Affected Products:

  • Debian Linux 4.0
  • GLPI GLPI 0.68.2
  • GLPI GLPI 0.68.3
  • IPplan IP address management system 4.85
  • Knowledgeroot Knowledgebase 0.9.8.2
  • Mahara Mahara 1.0.0
  • Mahara Mahara 1.0.1
  • Mahara Mahara 1.0.2
  • Mahara Mahara 1.0.3
  • Mahara Mahara 1.0.4
  • Mahara Mahara 1.0.5
  • MamboXChange LaiThai 4.5.5
  • PHPMailer PHPMailer 1.7.0
  • PHPMailer PHPMailer 1.7.1
  • PHPMailer PHPMailer 1.7.2
  • PHPMailer PHPMailer 1.7.3
  • PHPMailer PHPMailer 1.73
  • Ubuntu Ubuntu Linux 8.04 LTS amd64
  • Ubuntu Ubuntu Linux 8.04 LTS i386
  • Ubuntu Ubuntu Linux 8.04 LTS lpia
  • Ubuntu Ubuntu Linux 8.04 LTS powerpc
  • Ubuntu Ubuntu Linux 8.04 LTS sparc
  • Ubuntu Ubuntu Linux 8.10 amd64
  • Ubuntu Ubuntu Linux 8.10 i386
  • Ubuntu Ubuntu Linux 8.10 lpia
  • Ubuntu Ubuntu Linux 8.10 powerpc
  • Ubuntu Ubuntu Linux 8.10 sparc
  • WordPress WordPress 2.0.0
  • WordPress WordPress 2.0.1
  • WordPress WordPress 2.0.10
  • WordPress WordPress 2.0.10-RC1
  • WordPress WordPress 2.0.10-RC2
  • WordPress WordPress 2.0.2
  • WordPress WordPress 2.0.3
  • WordPress WordPress 2.0.4
  • WordPress WordPress 2.0.5
  • WordPress WordPress 2.0.6
  • WordPress WordPress 2.0.7
  • WordPress WordPress 2.1
  • rpsblog.com Symphony 1.0.4

References:

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.