Bug 1409489 (CVE-2016-10033) - CVE-2016-10033 phpmailer: Parameter injection via mail() function
Summary: CVE-2016-10033 phpmailer: Parameter injection via mail() function
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2016-10033
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1409490 1409491 1409492 1409493 1409494 1409495 1409496 1409497 1409498 1409504
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-01-02 09:04 UTC by Andrej Nemec
Modified: 2021-02-25 22:23 UTC (History)
10 users (show)

Fixed In Version: phpmailer 5.2.18
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-05-09 12:02:10 UTC
Embargoed:


Attachments (Terms of Use)

Description Andrej Nemec 2017-01-02 09:04:54 UTC
A vulnerability was found in PHPMailer. This code is being used in multiple web applications. A remote code execution could be achieved by passing a maliciously crafted expression to the vulnerable application.

References:

http://seclists.org/oss-sec/2016/q4/750
https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html

Comment 1 Andrej Nemec 2017-01-02 09:06:24 UTC
Created drupal7 tracking bugs for this issue:

Affects: fedora-all [bug 1409494]
Affects: fedora-all [bug 1409495]
Affects: epel-all [bug 1409496]

Comment 2 Andrej Nemec 2017-01-02 09:06:33 UTC
Created wordpress tracking bugs for this issue:

Affects: fedora-all [bug 1409497]
Affects: epel-all [bug 1409498]

Comment 3 Andrej Nemec 2017-01-02 09:06:41 UTC
Created mantis tracking bugs for this issue:

Affects: fedora-all [bug 1409492]
Affects: epel-5 [bug 1409493]

Comment 4 Andrej Nemec 2017-01-02 09:06:48 UTC
Created php-PHPMailer tracking bugs for this issue:

Affects: fedora-all [bug 1409490]
Affects: epel-all [bug 1409491]

Comment 5 Andrej Nemec 2017-01-02 09:55:09 UTC
Created drupal8 tracking bugs for this issue:

Affects: fedora-all [bug 1409504]

Comment 6 Gianluca Sforna 2017-01-02 13:39:27 UTC
Hi Andrej, what about the mantis opened bug? I removed the bundled phpmailer since long, so for that app the problem will be fixed as soon as the phpmailer update lands in repos.

Comment 7 Andrej Nemec 2017-01-02 13:43:05 UTC
(In reply to Gianluca Sforna from comment #6)
> Hi Andrej, what about the mantis opened bug? I removed the bundled phpmailer
> since long, so for that app the problem will be fixed as soon as the
> phpmailer update lands in repos.

Hi Gianluca, thanks for the update. I am marking mantis as notaffected and will close the relevant tracking bug.

Comment 8 Shawn Iwinski 2017-01-02 17:13:35 UTC
All Drupal bugs closed as Drupal 7/8 are not affected.  See https://www.drupal.org/psa-2016-004

> The PHPMailer and SMTP modules (and maybe others) add support for
> sending e-mails using the 3rd party PHPMailer library.

> In general the Drupal project does not create advisories for 3rd
> party libraries. Drupal site maintainers should pay attention to
> the notifications provided by those 3rd party libraries as outlined
> in PSA-2011-002 - External libraries and plugins. However, given the
> extreme criticality of this issue and the timing of its release we
> are issuing a Public Service Announcement to alert potentially
> affected Drupal site maintainers.

Comment 9 Remi Collet 2017-01-05 06:45:36 UTC
Notice, the fix for this CVE is not enough.
See CVE-2016-10045, fixed in PHPMailer 5.2.20 (5.2.21 already in testing repo)

Comment 10 Benoit Donneaux 2017-01-31 08:24:47 UTC
Already got those from EPEL (from Remi I guess?):

php-PHPMailer-5.2.22-1.el6
php-PHPMailer-5.2.22-1.el7

Apparently fixing CVE-2016-10033 and indeed CVE-2016-10045 and CVE-2017-5223 for which I can not find any bug here!?

Comment 11 Benoit Donneaux 2017-01-31 08:33:34 UTC
(In reply to Benoit Donneaux from comment #10)
> Already got those from EPEL (from Remi I guess?):
> 
> php-PHPMailer-5.2.22-1.el6
> php-PHPMailer-5.2.22-1.el7
> 
> Apparently fixing CVE-2016-10033 and indeed CVE-2016-10045 and CVE-2017-5223
> for which I can not find any bug here!?

My bad: found CVE-2016-10045 at https://bugzilla.redhat.com/show_bug.cgi?id=1412216


Note You need to log in before you can comment on or make changes to this bug.