CVE-2016-10045

CRITICAL

PHPMailer <5.2.20 - RCE

Title source: llm

Description

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code by leveraging improper interaction between the escapeshellarg function and internal escaping performed in the mail function in PHP. NOTE: this vulnerability exists because of an incorrect fix for CVE-2016-10033.

Exploits (3)

exploitdb WORKING POC

by phackt_ul · pythonwebappsphp

https://www.exploit-db.com/exploits/42221

View Code ZIP pw:eip

exploitdb WORKING POC

by Dawid Golunski · pythonwebappsphp

https://www.exploit-db.com/exploits/40986

View Code ZIP pw:eip

exploitdb WORKING POC

by Dawid Golunski · pythonwebappsphp

https://www.exploit-db.com/exploits/40969

View Code ZIP pw:eip

References (15)

[Mailing List, Patch] http://openwall.com/lists/oss-security/2016/12/28/1

[Exploit, Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/140286/PHPMailer-Remote-Code-Execution.html

[Exploit, Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/140350/PHPMailer-Sendmail-Argument-Injection.html

[Mailing List, Patch, Third Party Advisory] http://seclists.org/fulldisclosure/2016/Dec/81

[Exploit, Third Party Advisory] http://www.rapid7.com/db/modules/exploit/multi/http/phpmailer_arg_injection

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/archive/1/539967/100/0/threaded

[Exploit, Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/95130

[Third Party Advisory, VDB Entry] http://www.securitytracker.com/id/1037533

[Third Party Advisory] https://developer.joomla.org/security-centre/668-20161205-phpmailer-security-advisory.html

[Patch, Vendor Advisory] https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.20

[Patch, Vendor Advisory] https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities

[Exploit, Patch, Third Party Advisory] https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html

[Exploit, Third Party Advisory, VDB Entry] https://www.exploit-db.com/exploits/40969/

[Third Party Advisory, VDB Entry] https://www.exploit-db.com/exploits/40986/

[Third Party Advisory, VDB Entry] https://www.exploit-db.com/exploits/42221/

Scores

CVSS v3 9.8

EPSS 0.9337

EPSS Percentile 99.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-77

Status published

Products (4)

joomla/joomla\! 1.5.0 - 3.6.5

phpmailer/phpmailer 5.0.0 - 5.2.20Packagist

phpmailer_project/phpmailer < 5.2.20

wordpress/wordpress < 4.7

Published Dec 30, 2016

Tracked Since Feb 18, 2026