Critical Flaw in PHPMailer Allows Remote Exploits

PHPMailer, one of the most popular open source PHP libraries in use today, has run into problems of its own as Polish security researcher Dawid Golunski of Legal Hackers has discovered a critical vulnerability that leaves it susceptible to remote exploits.

Specifics of the vulnerability in question (CVE-2016-10033) have yet to be revealed as Golunski is withholding technical details about the flaw due to how prevalent PHPMailer is.

Golunski did reveal the nature of the flaw though, and it appears that the flaw would allow an attacker to execute arbitrary code remotely in the context of the web server. This would then compromise the target web application.

security notices

In order to exploit this particular vulnerability, the attacker would target website components that send out emails with the help of a vulnerable version of the PHPMailer class. Such components include things like contact or feedback forms, registration forms, password email resets and many others.

Fortunately, Golunski has since reported this vulnerability to the developers of PHPMailer, and the developers have since patched said vulnerability with PHPMailer 5.2.18. As all version of PHPMailer prior to 5.2.18 are affected by this vulnerability, web administrators, and developers should update their PHPMailer as soon as possible.

security version

Source: The Hacker News