A security researcher recently reported a critical vulnerability in one of the most popular open source PHP libraries used to send emails that allowed a remote attacker to execute arbitrary code in the context of the web server and compromise a web application.

Disclosed by Polish security researcher Dawid Golunski of Legal Hackers, the issue (CVE-2016-10033) in PHPMailer used by more than 9 Million users worldwide was thought to be fixed with the release of version 5.2.18.

However, Golunski managed to bypass the patched version of PHPMailer that was given a new CVE (CVE-2016-10045), which once again put millions of websites and popular open source web apps, including WordPress, Drupal, 1CRM, SugarCRM, Yii, and Joomla, at risk of remote code execution attack.

PHPMailer eventually fixed the issue with an update, version 5.2.20. All versions of PHPMailer before this critical release are affected, so web administrators and developers are strongly recommended to update to the new version.

In addition to this bug, Golunski also reported a similar vulnerability in two other mailing libraries for PHP, SwiftMailer, and ZendMail, that could have also led to remote code execution attack.

RCE Flaw in SwiftMailer

SwiftMailer is also a popular PHP library used by many major open-source projects, including top PHP programming frameworks like Yii2, Laravel, Symfony for sending emails over SMTP.

The vulnerability (CVE-2016-10074) in SwiftMailer can be exploited in the same manner as the PHPMailer vulnerability by targeting web site components that use SwiftMailer class, such as contact/registration forms, password email reset forms, and so forth.

Attackers can execute arbitrary code remotely in the context of the web server, which could further be exploited to access a web server hosting a web application that used a vulnerable version of the library.

The SwiftMailer vulnerability affects all versions of the library, including the then-current release, version 5.4.5-DEV.

Golunski disclosed the vulnerability to SwiftMailer team, and developers acted fast to fix the issue, rolling out patched version 5.4.5 within a day.

"The mail transport (Swift_Transport_MailTransport) was vulnerable to passing arbitrary shell arguments if the "From," "ReturnPath" or "Sender" header came from a non-trusted source, potentially allowing Remote Code Execution," reads the changelog for SwiftMailer on GitHub.

RCE Flaw in ZendMail

ZendMail is a component of a very popular PHP programming framework Zend Framework with more than 95 Million installations.

The critical vulnerability (CVE-2016-10034) in ZendMail can also be exploited in the same manner as one discovered in PHPMailer and SwiftMailer by targeting web site components that use ZendMail, like contact/registration forms, password email reset forms, and so on.

Attackers could achieve remote code execution in the context of the web server and could remotely compromise the target web application that used the vulnerable version of the ZendMail.

The researcher reported the issue to ZendMail, and the developers fixed the vulnerability and rolled out the patched version.
"When using the zend-mail component to send email via the Zend\Mail\Transport\Sendmail transport, a malicious user may be able to inject arbitrary parameters to the system sendmail program," ZendMail wrote in a blog post.
"The attack is performed by providing additional quote characters within an address; when unsanitized, they can be interpreted as additional command line arguments, leading to the vulnerability."
Golunski has released a proof-of-concept video demonstration that will show all the three attacks in action.
Golunski has also released a 3-in-1 exploit, nicknamed PwnScriptum, about the vulnerabilities in PHPMailer, SwiftMailer, and ZendMail.

The researcher will soon be revealing a security white-paper with previously unknown exploitation vectors and techniques that can be used to exploit all the 3 vulnerabilities.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.