The Hacker News — Cyber Security, Hacking, Technology News

A critical vulnerability has been discovered in PHPMailer, which is one of the most popular open source PHP libraries to send emails used by more than 9 Million users worldwide.

Millions of PHP websites and popular open source web applications, including WordPress, Drupal, 1CRM, SugarCRM, Yii, and Joomla comes with PHPMailer library for sending emails using a variety of methods, including SMTP to their users.

Discovered by Polish security researcher Dawid Golunski of Legal Hackers, the critical vulnerability (CVE-2016-10033) allows an attacker to remotely execute arbitrary code in the context of the web server and compromise the target web application.

"To exploit the vulnerability an attacker could target common website components such as contact/feedback forms, registration forms, password email resets and others that send out emails with the help of a vulnerable version of the PHPMailer class," Golunski writes in the advisory published today.

Golunski responsibly reported the vulnerability to the developers, who have patched the vulnerability in their new release, PHPMailer 5.2.18.

All versions of PHPMailer before the critical release of PHPMailer 5.2.18 are affected, so web administrators and developers are strongly recommended to update to the patched release.

Since The Hacker News is making the first public disclosure of the vulnerability in the news following Golunski advisory and millions of websites remain unpatched, the researcher has put on hold more technical details about the flaw.

However, Golunski has promised to release more technical details about the vulnerability in coming days, including a proof-of-concept exploit code and video demonstration that will show the attack in action.

We will update this article with additional information on the PHPMailer vulnerability, exploit code and video demonstration, once the researcher makes it public.

Update: Exploit Code for PHPMailer RCE Released

Golunski has released Proof-of-Concept (PoC) exploit code for PHPMailer remote code execution vulnerability.

"A successful exploitation could let remote attackers gain access to the target server in the context of the web server account which could lead to a full compromise of the web application," Golunski said.

You can find exploit code here.

Cyber attacks get bigger, smarter, more damaging.

P*rnHub launched its bug bounty program two months ago to encourage hackers and bug bounty hunters to find and responsibly report flaws in its services and get rewarded.

Now, it turns out that the world's most popular p*rn*graphy site has paid its first bounty payout. But how much?

US $20,000!

Yes, P*rnHub has paid $20,000 bug bounty to a team of three researchers, who gained Remote Code Execution (RCE) capability on its servers using a zero-day vulnerability in PHP – the programming language that powers P*rnHub's website.

The team of three researchers, Dario Weißer (@haxonaut), cutz and Ruslan Habalov (@evonide), discovered two use-after-free vulnerabilities (CVE-2016-5771/CVE-2016-5773) in PHP's garbage collection algorithm when it interacts with other PHP objects.

One of those is PHP's unserialize function on the website that handles data uploaded by users, like hot pictures, on multiple paths, including:

• http://www.P*rnH*b.com/album_upload/create
• http://www.P*rnH*b.com/uploading/photo

This zero-day flaw let the researchers reveal the address of the server's POST data, allowing them to craft a malicious payload and thereby executing rogue code on P*rnHub's server.

The hack was complicated and required a massive amount of work that granted a "nice view of P*rnHub’s /etc/passwd file," allowing the team to execute commands and make PHP run malicious syscalls.

The PHP zero-day vulnerabilities affect all PHP versions of 5.3 and higher, though the PHP project has fixed the issue.

The hack could have allowed the team to drop all P*rnHub data including user information, track its users and observe behavior, disclose all source code of co-hosted websites, pivot deeper into the network and gain root privileges.

P*rnHub paid the team $20,000 for their incredible efforts, and the Internet Bug Bounty HackerOne also awarded the researchers an additional $2,000 for discovering the PHP zero-days.

The sophisticated hack on P*rnHub's servers that allowed the team to gain full access to the entire P*rnHub database has been explained in two highly detailed blog posts. You can head on to them for technicalities of this attack.

“This nonce was also used to verify whether or not a user could upload files to the server. As the script didn’t use any other form of identification to check or authenticate the user’s privilege to upload files, it was possible for any user to complete the upload in there,” says the blog post.

• Log­in and get his nonce via wp-admin
• Send an AJAX file upload request containing the leaked nonce and his backdoor

“So long story short – don’t only use nonces to protect sensitive methods, always add functions such as “current_user_can()” or the likes to confirm a user’s right to do something.”