Legal Hackers researcher Dawid Golunski found a remote code execution flaw in PHPMailer, then discovered a technique a technique to bypass a patch that developers issued to fix that vulnerability.
Legal Hackers researcher Dawid Golunski found a remote code execution flaw in PHPMailer, then discovered a technique a technique to bypass a patch that developers issued to fix that vulnerability.

Older versions of the code library PHPMailer contain a critical vulnerability that remote attackers can leverage to take over a web server account and compromise a targeted web application via arbitrary code execution.

The developers of PHPMailer seemingly fixed the vulnerability – designated CVE-2016-10033 – with the release of version 5.2.18 on Dec. 24. But in a Dec. 27 blog post, Legal Hackers researcher Dawid Golunski, who originally discovered the flaw, reported that he was able to bypass the patch, causing the developers to issue version 5.2.20 on Dec. 28 to fix this additional issue (designated CVE-2016-10045).

According to Golunski in a Dec. 25 blog post describing the original vulnerability, an attacker looking to exploit the flaw “could target common website components such as contact/feedback forms, registration forms, password email resets and others that send out emails with the help of a vulnerable version of the PHPMailer class.”

A transport tool for sending emails using PHP code, PHPMailer has an estimated 9 million users and is leveraged by many open-source projects including WordPress and Drupal, Golunski noted.