Just recently we mentioned the security flaw in PHPMailer. Barely a week later we are at it again this time with flaws in the three major PHP mailing libraries namely PHPMailer, SwiftMailer and ZendMail.
The critical flows found in these PHP mailing libraries allows a remote attacker to execute arbitrary code in the context of the web A server is a computer application program that responds to requests for information from a client in a client/server relationship system. A typical example is a web server or pushing a web page to a web browser or a web server receiving email and transferring it to an email client. A server can also refer to the actual hardware designed... More and compromise the web application. The flaw was earlier revealed to have been found in PHPMailer and a patch was issued. However, a couple of days later the patched version was found to be vulnerable and another patch was issued to fix the problem.
The flaws were disclosed by Polish security researcher Dawid Golunski of Legal A computer hacker in its pure form is a highly skilled computer programmer. In pop-culture, a security hacker is a skilled computer expert who uses their skills to break into computer systems using bugs, exploits, social engineering, and other methods. When the person uses their skills to subvert computer security for malicious purposes, they can also be referred to as... More.
Who is Affected by The RCE Flaws in These PHP Mailing Libraries
The initial flaw in PHPMailer affected nine million users and a fix was issued even though Dawid was able to breach the library again forcing the team to release another patch. PHPMailer is used in WordPress, Joomla, Drupal, 1CRM, SugarCRM and Yii among a host of other propriety and custom plugins, extensions, Content Management Systems (CMS) and websites. The safe update of PHPMailer is version 5.2.20. Users are advised to update to this version as soon as possible.
SwiftMailer, another popular mailing library used in Laravel, Symfony, Yii2 and other open source projects also contains the same vulnerability that can be exploited via all web forms that send out emails via SMTP.
According to the changelog for SwiftMailer on Github, “The mail transport (Swift_Transport_MailTransport) was vulnerable to passing arbitrary shell arguments if the “From,” “ReturnPath” or “Sender” header came from a non-trusted source, potentially allowing Remote Code Execution,”. All updates of SwiftMailer prior to version 5.4.5 are vulnerable and therefore all users are advised to update with immediate effect.
The Zend Framework with more than 95 Million installations uses the ZendMail component for sending out emails. This component happens to harbor the same flaw which may allow an attacker to inject arbitrary parameters to the system sendmail program. The team at Zend has given more light to the issue in this blog post.