Critical RCE vulnerabilities affect SwiftMailer, PhpMailer and ZendMail

Pierluigi Paganini January 03, 2017

The security expert Dawid Golunski from Legal Hackers has reported critical RCE flaws in the popular PHP libraries SwiftMailer, PhpMailer and ZendMail.

The indomitable Golunski managed to hack also this last patched version of PHPMailer and he discovered a vulnerability tracked as CVE-2016-10045.

“The first patch of the vulnerability CVE-2016-10033 was incomplete. This advisory demonstrates the bypass of the patch. The bypass allows to carry out Remote Code Execution on all current versions (including 5.2.19).” states the security advisory.

“The patch for CVE-2016-10033 vulnerability added in PHPMailer 5.2.17 sanitizes the $Sender variable by applying escapeshellarg() escaping before the value is passed to mail() function.

It does not however take into account the clashing of the escapeshellarg() function with internal escaping with escapeshellcmd() performed by mail() function on the 5th parameter.

As a result it is possible to inject an extra quote that does not get properly escaped and break out of the escapeshellarg() protection applied by the patch in PHPMailer 5.2.17.”

Once again millions of websites and web apps are open to cyber attacks. Web services running on WordPress, Drupal, 1CRM, SugarCRM, Yii, and Joomla, are potentially exposed to remote code execution attacks.

PHPMailer issued a new update PHPMailer version 5.2.20, so check that your version is the last one.

The bad news for website administrators is that similar issues were discovered in other two PHP libraries, SwiftMailer, and ZendMail. Both libraries are affected by remote code execution vulnerabilities.

SwiftMailer is a popular PHP library widely adopted in open-source projects, including programming frameworks like Yii2, Laravel, Symfony that allow sending emails over SMTP.

The flaw in the SwiftMailer, tracked as CVE-2016-10074, can be exploited by an attacker to compromise web site components that leverage on the library to send the email. Contact/registration forms, password email reset forms, and any other component of a website that uses the SwiftMailer class is potentially affected.

A remote attacker can trigger the flaw to execute arbitrary code in the context of the web server and gain control over the server.

The SwiftMailer flaw affects all versions of the library including the last one.

Golunski reported the vulnerability to the SwiftMailer development team who promptly issued the patched version 5.4.5.

“The mail transport (Swift_Transport_MailTransport) was vulnerable to passing arbitrary shell arguments if the “From,” “ReturnPath” or “Sender” header came from a non-trusted source, potentially allowing Remote Code Execution,” reads the changelog for the patched version of SwiftMailer.

As anticipated also the ZendMail is affected by a similar vulnerability tracked as CVE-2016-10034. ZendMail framework is widely adopted, it accounts for more than 95 Million installations.

The flaw in ZendMail can also be exploited to target web site components that use the ZendMail framework, such as contact/registration forms and password email reset forms.

Also in this case, the exploitation of the flaw could allow remote attackers to executed code in the context of the web server and compromise the target web application.

Golunski reported the issue to ZendMail who issued a patched version.

“When using the zend-mail component to send email via the Zend\Mail\Transport\Sendmail transport, a malicious user may be able to inject arbitrary parameters to the system sendmail program,” ZendMail wrote in a blog post.

“The attack is performed by providing additional quote characters within an address; when unsanitized, they can be interpreted as additional command line arguments, leading to the vulnerability. 

The following example demonstrates injecting additional parameters to the sendmail binary via the From address:”


Golunski has released a proof-of-concept video demonstration that will show all the three attacks in action.

Golunski promised a white-paper on the issues he has discovered, meantime he published the website PwnScriptum that recap all the info on the vulnerabilities he discovered.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Critical RCE, hacking)

you might also like

leave a comment