PHPMailer Remote Shell Command Execution Vulnerability
BID:24417
Info
PHPMailer Remote Shell Command Execution Vulnerability
| Bugtraq ID: | 24417 |
| Class: | Input Validation Error |
| CVE: |
CVE-2007-3215 |
| Remote: | Yes |
| Local: | No |
| Published: | Jun 11 2007 12:00AM |
| Updated: | Jun 26 2009 06:59PM |
| Credit: | Thor Larholm is credited with discovering this issue. |
| Vulnerable: |
WordPress WordPress 2.0.10 WordPress WordPress 2.0.7 WordPress WordPress 2.0.6 WordPress WordPress 2.0.5 WordPress WordPress 2.0.4 WordPress WordPress 2.0.3 WordPress WordPress 2.0.2 WordPress WordPress 2.0.1 WordPress WordPress 2.0 WordPress WordPress 2.1 WordPress WordPress 2.0.10-RC2 WordPress WordPress 2.0.10-RC1 Ubuntu Ubuntu Linux 8.10 sparc Ubuntu Ubuntu Linux 8.10 powerpc Ubuntu Ubuntu Linux 8.10 lpia Ubuntu Ubuntu Linux 8.10 i386 Ubuntu Ubuntu Linux 8.10 amd64 Ubuntu Ubuntu Linux 8.04 LTS sparc Ubuntu Ubuntu Linux 8.04 LTS powerpc Ubuntu Ubuntu Linux 8.04 LTS lpia Ubuntu Ubuntu Linux 8.04 LTS i386 Ubuntu Ubuntu Linux 8.04 LTS amd64 rpsblog.com Symphony 1.0.4 PHPMailer PHPMailer 1.7.3 PHPMailer PHPMailer 1.7.2 PHPMailer PHPMailer 1.7.1 PHPMailer PHPMailer 1.7 PHPMailer PHPMailer 1.73 MamboXChange LaiThai 4.5.5 Mahara Mahara 1.0.5 Mahara Mahara 1.0.4 Mahara Mahara 1.0.3 Mahara Mahara 1.0.2 Mahara Mahara 1.0.1 Mahara Mahara 1.0 Knowledgeroot Knowledgebase 0.9.8.2 IPplan IP address management system 4.85 Debian Linux 4.0 |
| Not Vulnerable: |
MamboXChange LaiThai 4.5.6 Mahara Mahara 1.0.6 |
Discussion
PHPMailer Remote Shell Command Execution Vulnerability
PHPMailer is prone to a vulnerability that allows attackers to execute arbitrary shell commands because the software fails to sanitize user-supplied input.
This issue affects PHPMailer when configured to use sendmail.
An attacker may leverage this issue to execute arbitrary shell commands on an affected computer with the privileges of the application using the affected class utility.
PHPMailer 1.73 and prior versions are vulnerable to this issue.
PHPMailer is prone to a vulnerability that allows attackers to execute arbitrary shell commands because the software fails to sanitize user-supplied input.
This issue affects PHPMailer when configured to use sendmail.
An attacker may leverage this issue to execute arbitrary shell commands on an affected computer with the privileges of the application using the affected class utility.
PHPMailer 1.73 and prior versions are vulnerable to this issue.
Exploit / POC
PHPMailer Remote Shell Command Execution Vulnerability
Currently we are not aware of any exploits for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
Currently we are not aware of any exploits for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
Solution / Fix
PHPMailer Remote Shell Command Execution Vulnerability
Solution:
Fixes from multiple vendors are available. Please see the references for details.
The following unofficial patch is available to address this issue. Symantec has not confirmed the integrity of this fix.
Patch:
Index: class.phpmailer.php
===================================================================
--- class.phpmailer.php (revisión: 161)
+++ class.phpmailer.php (copia de trabajo)
@@ -424,9 +424,9 @@
function SendmailSend($header, $body)
{
if ($this->Sender != "") {
- $sendmail = sprintf("%s -oi -f %s -t", $this->Sendmail,
$this->Sender);
+ $sendmail = sprintf("%s -oi -f %s -t",
escapeshellcmd($this->Sendmail), escapeshellarg($this->Sender));
} else {
- $sendmail = sprintf("%s -oi -t", $this->Sendmail);
+ $sendmail = sprintf("%s -oi -t",
escapeshellcmd($this->Sendmail));
}
if (!@$mail = popen($sendmail, "w")) {
Ubuntu Ubuntu Linux 8.04 LTS powerpc
Ubuntu Ubuntu Linux 8.10 powerpc
Ubuntu Ubuntu Linux 8.04 LTS sparc
Ubuntu Ubuntu Linux 8.10 i386
Ubuntu Ubuntu Linux 8.04 LTS amd64
Ubuntu Ubuntu Linux 8.04 LTS lpia
Ubuntu Ubuntu Linux 8.10 lpia
Ubuntu Ubuntu Linux 8.10 sparc
Ubuntu Ubuntu Linux 8.04 LTS i386
Ubuntu Ubuntu Linux 8.10 amd64
Solution:
Fixes from multiple vendors are available. Please see the references for details.
The following unofficial patch is available to address this issue. Symantec has not confirmed the integrity of this fix.
Patch:
Index: class.phpmailer.php
===================================================================
--- class.phpmailer.php (revisión: 161)
+++ class.phpmailer.php (copia de trabajo)
@@ -424,9 +424,9 @@
function SendmailSend($header, $body)
{
if ($this->Sender != "") {
- $sendmail = sprintf("%s -oi -f %s -t", $this->Sendmail,
$this->Sender);
+ $sendmail = sprintf("%s -oi -f %s -t",
escapeshellcmd($this->Sendmail), escapeshellarg($this->Sender));
} else {
- $sendmail = sprintf("%s -oi -t", $this->Sendmail);
+ $sendmail = sprintf("%s -oi -t",
escapeshellcmd($this->Sendmail));
}
if (!@$mail = popen($sendmail, "w")) {
Ubuntu Ubuntu Linux 8.04 LTS powerpc
-
Ubuntu moodle_1.8.2-1ubuntu4.2_all.deb
http://security.ubuntu.com/ubuntu/pool/main/m/moodle/moodle_1.8.2-1ubu ntu4.2_all.deb
Ubuntu Ubuntu Linux 8.10 powerpc
-
Ubuntu moodle_1.8.2-1.2ubuntu2.1_all.deb
http://security.ubuntu.com/ubuntu/pool/main/m/moodle/moodle_1.8.2-1.2u buntu2.1_all.deb
Ubuntu Ubuntu Linux 8.04 LTS sparc
-
Ubuntu moodle_1.8.2-1ubuntu4.2_all.deb
http://security.ubuntu.com/ubuntu/pool/main/m/moodle/moodle_1.8.2-1ubu ntu4.2_all.deb
Ubuntu Ubuntu Linux 8.10 i386
-
Ubuntu moodle_1.8.2-1.2ubuntu2.1_all.deb
http://security.ubuntu.com/ubuntu/pool/main/m/moodle/moodle_1.8.2-1.2u buntu2.1_all.deb
Ubuntu Ubuntu Linux 8.04 LTS amd64
-
Ubuntu moodle_1.8.2-1ubuntu4.2_all.deb
http://security.ubuntu.com/ubuntu/pool/main/m/moodle/moodle_1.8.2-1ubu ntu4.2_all.deb
Ubuntu Ubuntu Linux 8.04 LTS lpia
-
Ubuntu moodle_1.8.2-1ubuntu4.2_all.deb
http://security.ubuntu.com/ubuntu/pool/main/m/moodle/moodle_1.8.2-1ubu ntu4.2_all.deb
Ubuntu Ubuntu Linux 8.10 lpia
-
Ubuntu moodle_1.8.2-1.2ubuntu2.1_all.deb
http://security.ubuntu.com/ubuntu/pool/main/m/moodle/moodle_1.8.2-1.2u buntu2.1_all.deb
Ubuntu Ubuntu Linux 8.10 sparc
-
Ubuntu moodle_1.8.2-1.2ubuntu2.1_all.deb
http://security.ubuntu.com/ubuntu/pool/main/m/moodle/moodle_1.8.2-1.2u buntu2.1_all.deb
Ubuntu Ubuntu Linux 8.04 LTS i386
-
Ubuntu moodle_1.8.2-1ubuntu4.2_all.deb
http://security.ubuntu.com/ubuntu/pool/main/m/moodle/moodle_1.8.2-1ubu ntu4.2_all.deb
Ubuntu Ubuntu Linux 8.10 amd64
-
Ubuntu moodle_1.8.2-1.2ubuntu2.1_all.deb
http://security.ubuntu.com/ubuntu/pool/main/m/moodle/moodle_1.8.2-1.2u buntu2.1_all.deb
References
PHPMailer Remote Shell Command Execution Vulnerability
References:
References:
- Mambo LaiThai Global 4.5.6 Release Notes (MamboXChange)
- PHPMailer 0day remote execution (Thor Larholm)
- Announcements: GLPI 0.68.3-2 bug fixes (GLPI)
- Knowledgeroot Knowledgebase Release Name: 0.9.8.3 (Knowledgeroot Knowledgebase)
- Mahara 1.0.6 Release Notes (Mahara)
- Mahara Homepage (Mahara)
- PHPMailer Home Page (PHPMailer)
- PHPMailer command execution (Thor Larhom)
- [ 1734811 ] popen command execution (Thor Larholm - larholm)
- DSA-1315-1 libphp-phpmailer -- missing input validation (Debian)
- GPLI Homepage (GPLI)
- IPplan IP address management system Release 4.86a (IP address management system Project)
- Symfony 1.0.5 Release Notes (Symfony)
- WordPress 2.2.1Release Notes (WordPress)