Network Security, Patch/Configuration Management, Vulnerability Management

Critical code execution flaw in PHPMailer took two patches to fix

Older versions of the code library PHPMailer contain a critical vulnerability that remote attackers can leverage to take over a web server account and compromise a targeted web application via arbitrary code execution.

The developers of PHPMailer seemingly fixed the vulnerability – designated CVE-2016-10033 – with the release of version 5.2.18 on Dec. 24. But in a Dec. 27 blog post, Legal Hackers researcher Dawid Golunski, who originally discovered the flaw, reported that he was able to bypass the patch, causing the developers to issue version 5.2.20 on Dec. 28 to fix this additional issue (designated CVE-2016-10045).

According to Golunski in a Dec. 25 blog post describing the original vulnerability, an attacker looking to exploit the flaw “could target common website components such as contact/feedback forms, registration forms, password email resets and others that send out emails with the help of a vulnerable version of the PHPMailer class.”

A transport tool for sending emails using PHP code, PHPMailer has an estimated 9 million users and is leveraged by many open-source projects including WordPress and Drupal, Golunski noted.

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.