Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1409489 (CVE-2016-10033) - CVE-2016-10033 phpmailer: Parameter injection via mail() function
Summary: CVE-2016-10033 phpmailer: Parameter injection via mail() function
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2016-10033
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1409490 1409491 1409492 1409493 1409494 1409495 1409496 1409497 1409498 1409504
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-01-02 09:04 UTC by Andrej Nemec
Modified: 2021-02-25 22:23 UTC (History)
10 users (show)

Fixed In Version: phpmailer 5.2.18
Clone Of:
Environment:
Last Closed: 2017-05-09 12:02:10 UTC
Embargoed:


Attachments (Terms of Use)

Description Andrej Nemec 2017-01-02 09:04:54 UTC
A vulnerability was found in PHPMailer. This code is being used in multiple web applications. A remote code execution could be achieved by passing a maliciously crafted expression to the vulnerable application.

References:

http://seclists.org/oss-sec/2016/q4/750
https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html

Comment 1 Andrej Nemec 2017-01-02 09:06:24 UTC
Created drupal7 tracking bugs for this issue:

Affects: fedora-all [bug 1409494]
Affects: fedora-all [bug 1409495]
Affects: epel-all [bug 1409496]

Comment 2 Andrej Nemec 2017-01-02 09:06:33 UTC
Created wordpress tracking bugs for this issue:

Affects: fedora-all [bug 1409497]
Affects: epel-all [bug 1409498]

Comment 3 Andrej Nemec 2017-01-02 09:06:41 UTC
Created mantis tracking bugs for this issue:

Affects: fedora-all [bug 1409492]
Affects: epel-5 [bug 1409493]

Comment 4 Andrej Nemec 2017-01-02 09:06:48 UTC
Created php-PHPMailer tracking bugs for this issue:

Affects: fedora-all [bug 1409490]
Affects: epel-all [bug 1409491]

Comment 5 Andrej Nemec 2017-01-02 09:55:09 UTC
Created drupal8 tracking bugs for this issue:

Affects: fedora-all [bug 1409504]

Comment 6 Gianluca Sforna 2017-01-02 13:39:27 UTC
Hi Andrej, what about the mantis opened bug? I removed the bundled phpmailer since long, so for that app the problem will be fixed as soon as the phpmailer update lands in repos.

Comment 7 Andrej Nemec 2017-01-02 13:43:05 UTC
(In reply to Gianluca Sforna from comment #6)
> Hi Andrej, what about the mantis opened bug? I removed the bundled phpmailer
> since long, so for that app the problem will be fixed as soon as the
> phpmailer update lands in repos.

Hi Gianluca, thanks for the update. I am marking mantis as notaffected and will close the relevant tracking bug.

Comment 8 Shawn Iwinski 2017-01-02 17:13:35 UTC
All Drupal bugs closed as Drupal 7/8 are not affected.  See https://www.drupal.org/psa-2016-004

> The PHPMailer and SMTP modules (and maybe others) add support for
> sending e-mails using the 3rd party PHPMailer library.

> In general the Drupal project does not create advisories for 3rd
> party libraries. Drupal site maintainers should pay attention to
> the notifications provided by those 3rd party libraries as outlined
> in PSA-2011-002 - External libraries and plugins. However, given the
> extreme criticality of this issue and the timing of its release we
> are issuing a Public Service Announcement to alert potentially
> affected Drupal site maintainers.

Comment 9 Remi Collet 2017-01-05 06:45:36 UTC
Notice, the fix for this CVE is not enough.
See CVE-2016-10045, fixed in PHPMailer 5.2.20 (5.2.21 already in testing repo)

Comment 10 Benoit Donneaux 2017-01-31 08:24:47 UTC
Already got those from EPEL (from Remi I guess?):

php-PHPMailer-5.2.22-1.el6
php-PHPMailer-5.2.22-1.el7

Apparently fixing CVE-2016-10033 and indeed CVE-2016-10045 and CVE-2017-5223 for which I can not find any bug here!?

Comment 11 Benoit Donneaux 2017-01-31 08:33:34 UTC
(In reply to Benoit Donneaux from comment #10)
> Already got those from EPEL (from Remi I guess?):
> 
> php-PHPMailer-5.2.22-1.el6
> php-PHPMailer-5.2.22-1.el7
> 
> Apparently fixing CVE-2016-10033 and indeed CVE-2016-10045 and CVE-2017-5223
> for which I can not find any bug here!?

My bad: found CVE-2016-10045 at https://bugzilla.redhat.com/show_bug.cgi?id=1412216


Note You need to log in before you can comment on or make changes to this bug.