Critical PHPMailer Vulnerability

A word from our sponsor:

Submitted by on

Printer-friendly version

Author: 

Blog About: 

Hey everyone! I know quite a lot of users here are quite technical, and many have their own websites, so I thought it was important to post this here.

Recently it was disclosed that there is a Remote Code Execution Exploit for PHPMailer which is used by MANY frameworks, and CMS software (and custom projects). This exploit could easily allow an attacker to take control of your website and or server. If you would like to read more about it, I posted a blog on our website: Critical PHP Exploit: PHPMailer (Affects WordPress & More)

-Piper

P.S. BigCloset/TopShelf is safe as the only module we use that uses PHPMailer, uses a custom version that was NOT affected by this vulnerability!

Comments

I don't have that many

Submitted by on

I don't have that many wordpress sites on my servers, but I'll definitely check to make sure. Thanks for the update.

I'll get a life when it's proven and substantiated to be better than what I'm currently experiencing.

Swiftmailer and php mail()

Submitted by on

Piper's picture

Just an FYI that this also affects SwiftMailer as used by Symphony/laravel frameworks as well as just about any scripts that pass code ditrectly yo php's mail() function without properly filtering it.

https://legalhackers.com/advisories/SwiftMailer-Exploit-Remo...

"She was like a butterfly, full of color and vibrancy when she chose to open her wings, yet hardly visible when she closed them."
— Geraldine Brooks

Thanks Piper

Submitted by on

I deleted the script on my Wordpress Server last week when the CVE for the bug was released.

At least that server is standalone and does nothing else but serve a few pages.
I'm busy fighting the search bots that ignore the settings in 'robots.txt' at the moment. but simply blocking them at the firewall or hosts file takes time and they come back from a different URL a few hours later.
Samantha

The bulk of the search bots

Submitted by on

The bulk of the search bots that abuse the robots.txt (by ignoring it) are from just a small group of countries. If you block IP ranges, you can usually end up nailing all of them, unless you really care about Russian, Bulgarian, Brazilian, and Chinese visitors.

I'll get a life when it's proven and substantiated to be better than what I'm currently experiencing.

Just to toss it out there, I

Submitted by on

Just to toss it out there, I only appear to have one wordpress phpmailer I have to worry about, and I can probably disable it without too much issue. (on one server. Haven't checked the other).

However, if you're running SugarCRM, it also uses phpmailer. That may not be vulnerable, because of the way the program works.

I'll get a life when it's proven and substantiated to be better than what I'm currently experiencing.

Additional information,

Submitted by on

Additional information, scraped from wordfence.

But good news too - https://core.trac.wordpress.org/ticket/37210

"Presently, WordPress Core (and as a result, anything utilising wp_mail()) are unaffected by the recent disclosures, the vulnerabilities require the usage of a PHPMailer feature which WordPress & wp_mail() does not use. This applies to WordPress 4.7, 4.6.x, and all previous secure versions. A note on plugins: If plugins are correctly utilising wp_mail() they'll not be affected either, however, if a plugin is doing something wrong, the plugins team will be in contact with the plugin authors."

I'll get a life when it's proven and substantiated to be better than what I'm currently experiencing.

One more - the author of

Submitted by on

One more - the author of phpmailer - Marcus Bointon - chimed in near the bottom of this thread.

https://www.wordfence.com/blog/2016/12/phpmailer-vulnerability/

It appears that unless you're using VERP or something similar, you're not going to be vulnerable to the exploit. The exploit can only come from the SENDER address, and that's not normally alterable by contact forms and similar. Usually it's a 'contacts@' (VERP are those insanely long SMTP 'from' addresses that people like ConstantContact use to make certain that their emails are marked as spam, because they combine insane long strings of semi-code, plus usually the receiver's domain name as well. Sometimes the entire email address, as 'from', but with an equals sign rather than an @ symbol. I get complaints, and I keep telling those customers that they need to bitch at the mass mailers, because they don't HAVE to use someone's to email address in the from line to track bounces and receives. )

If anyone's curious, I'll pull one of those out and post it up here so you can see what it looks like.

I'll get a life when it's proven and substantiated to be better than what I'm currently experiencing.

Oh no.

Submitted by on

I do have 2 sites that use PHPMailer, so this is good to know. It will be a pain in the butt to fix.

Be sure to look at my posts,

Submitted by on

Be sure to look at my posts, and the links. You may not have to fix it, because apparently the exposed code isn't normally used.

I'll get a life when it's proven and substantiated to be better than what I'm currently experiencing.

More like this