SwiftMailer, PhpMailer and ZendMail PHP Mailing Libraries Found With Critical Flaws

PHP Mailing Libraries

Just recently we mentioned the security flaw in PHPMailer. Barely a week later we are at it again this time with flaws in the three major PHP mailing libraries namely PHPMailer, SwiftMailer and ZendMail.

The critical flows found in these PHP mailing libraries allows a remote attacker to execute arbitrary code in the context of the web server and compromise the web application. The flaw was earlier revealed to have been found in PHPMailer and a patch was issued. However, a couple of days later the patched version was found to be vulnerable and another patch was issued to fix the problem.

The flaws were disclosed by Polish security researcher Dawid Golunski of Legal Hackers.

Who is Affected by The RCE Flaws in These PHP Mailing Libraries

The initial flaw in PHPMailer affected nine million users and a fix was issued even though Dawid was able to breach the library again forcing the team to release another patch. PHPMailer is used in WordPress, Joomla, Drupal, 1CRM, SugarCRM and Yii among a host of other propriety and custom plugins, extensions, Content Management Systems (CMS) and websites. The safe update of PHPMailer is version 5.2.20. Users are advised to update to this version as soon as possible.

Read Also  A New Boost 1.61.0 Update Announced

SwiftMailer, another popular mailing library used in Laravel, Symfony, Yii2 and other open source projects also contains the same vulnerability that can be exploited via all web forms that send out emails via SMTP.

According to the changelog for SwiftMailer on Github, “The mail transport (Swift_Transport_MailTransport) was vulnerable to passing arbitrary shell arguments if the “From,” “ReturnPath” or “Sender” header came from a non-trusted source, potentially allowing Remote Code Execution,”. All updates of SwiftMailer prior to version 5.4.5 are vulnerable and therefore all users are advised to update with immediate effect.

The Zend Framework with more than 95 Million installations uses the ZendMail component for sending out emails. This component happens to harbor the same flaw which may allow an attacker to inject arbitrary parameters to the system sendmail program. The team at Zend has given more light to the issue in this blog post.