Just recently we mentioned the security flaw in PHPMailer. Barely a week later we are at it again this time with flaws in the three major PHP mailing libraries namely PHPMailer, SwiftMailer, and ZendMail.
The critical flows found in these PHP mailing libraries allow a remote attacker to execute arbitrary code in the context of the webserver and compromise the web application. The flaw was earlier revealed to have been found in PHPMailer and a patch was issued. However, a couple of days later the patched version was found to be vulnerable and another patch was issued to fix the problem.
The flaws were disclosed by Polish security researcher Dawid Golunski of Legal Hackers.
Who is Affected by The RCE Flaws in These PHP Mailing Libraries
The initial flaw in PHPMailer affected nine million users and a fix was issued even though Dawid was able to breach the library again forcing the team to release another patch. PHPMailer is used in WordPress, Joomla, Drupal, 1CRM, SugarCRM, and Yii among a host of other propriety and custom plugins, extensions, Content Management Systems (CMS), and websites. The safe update of PHPMailer is version 5.2.20. Users are advised to update to this version as soon as possible.
SwiftMailer, another popular mailing library used in Laravel, Symfony, Yii2, and other open-source projects also contains the same vulnerability that can be exploited via all web forms that send out emails via SMTP.
According to the changelog for SwiftMailer on Github, “The mail transport (Swift_Transport_MailTransport) was vulnerable to passing arbitrary shell arguments if the “From,” “ReturnPath” or “Sender” header came from a non-trusted source, potentially allowing Remote Code Execution,”. All updates of SwiftMailer prior to version 5.4.5 are vulnerable and therefore all users are advised to update with immediate effect.
The Zend Framework with more than 95 Million installations uses the ZendMail component for sending out emails. This component happens to harbor the same flaw which may allow an attacker to inject arbitrary parameters into the system Sendmail program. The team at Zend has given more light to the issue in this blog post.
Found this article interesting? Follow Brightwhiz on Facebook, Twitter, and YouTube to read and watch more content we post.