PHPMailer and SwiftMailer execution of arbitrary code vulnerabilities

In recent days, three vulnerabilities have been reported for PHPMailer and SwiftMailer :

• 12/25/2016, CVE-2016-10033 The vulnerability of remote code execution through PHPMailer
• 12/27/2016, CVE-2016-10045. Vulnerability of remote code execution through PHPMailer
• 12/28/2016, CVE-2016-10074. Vulnerability of remote code execution through SwiftMailer

All three vulnerability reports mention the Yii framework along with other PHP frameworks as vulnerable, because the purpose of this article is to clarify exactly who is affected by this vulnerability and what needs to be done in order to protect itself.

As for PHPMailer, Yii never officially provided any components related to PHPMailer. In addition, Yii never included PHPMailer in any code that was officially issued by the Yii team.

The mention of Yii in the reports is most likely a copy-paste from README PHPMailer'a, where it is said that it can be used together with the Yii framework. A patch has already been released for PHPMailer, you need to upgrade to at least version 5.2.20.

The situation regarding SwiftMailer is different. For it, we provide the extension yii2-swiftmailer . SwiftMailer also released a patch , you need to upgrade to at least 5.4.5.

The essence of the vulnerability

Since the PHP mail () function does not provide a separate parameter for specifying the sender's address, the only way to do this is to pass the string as the fifth argument ( $additional_parameters ). The string must contain the -f flag, followed by the sender's email (for example, -fadmin@example.com ).

This results in a call to /usr/bin/sendmail with a list of parameters formed from the PHP call to the mail() function. For example:

 /usr/sbin/sendmail -t -i -fadmin@example.com 

When a developer independently sends the 5th argument to the mail() function, it is assumed that he is reading the documentation and knows that email needs to be checked and escaped so that it is safe for use on the command line. In case this is not done, it is obvious that all responsibility lies with the developer, who allowed the injection of command line parameters.

However, the PHPMailer and SwiftMailer libraries provide a convenient API that hides the fact that an email was sent to the command line in a dangerous way. The developer hopes that the libraries perform sufficient shielding to ensure the security of the sendmail program call.

The discovered vulnerabilities indicate that the PHPMailer and SwiftMailer libraries did not perform sufficient shielding. This means that if the sender's address is formed in a special way, it will be transferred to the fifth parameter of the PHP mail() function and executed as additional parameters when the sendmail program is called.

For example, passing the following line as email addresses allows you to embed in the -oQ and -X parameters that will be processed by the sendmail program:

 -f"attacker\" -oQ/tmp/ -X/var/www/cache/phpcode.php some"@email.com //    /usr/sbin/sendmail -t -i -f"attacker" -oQ/tmp/ -X/var/www/cache/phpcode.php some@email.com 

More information on the reproduction of the vulnerability can be found at the links at the beginning of the article.

Who is at risk?

First of all, users who use the Swift_MailTransport or PHPMailer classes to send messages. These classes, in turn, use the PHP mail() function.

What needs to be done to secure the application?

Given that the vulnerabilities only concern the "From" field, you need to remember where in your applications the user can specify his own value for the sender's address. Most often this is used in contact forms and guest book scripts.

If you correctly validate email at the stage of receiving it from the user, then this vulnerability will most likely not affect you.

It is good practice to validate the data immediately upon receipt from the user, which helps to avoid processing invalid data in other parts of the application, including transferring to third-party libraries that may be vulnerable.

For Yii, there is EmailValidator , which does not skip addresses following the example of those used in this vulnerability.

In addition, in PHP there is a native function filter_var() , which can check email. For example:

 public function validateEmail() { if (filter_var($this->email, FILTER_VALIDATE_EMAIL) === false) { throw new InvalidParamException('The email contains characters that are not allowed'); } } 

UPD1: SwiftMailer has released a patch , you need to upgrade to version at least 5.4.5.