96 lines
7.4 KiB
Markdown
96 lines
7.4 KiB
Markdown
# Security notices relating to PHPMailer
|
|
|
|
Please disclose any security issues or vulnerabilities found
|
|
through [Tidelift's coordinated disclosure system](https://tidelift.com/security) or to the maintainers privately.
|
|
|
|
PHPMailer 6.4.1 and earlier contain a vulnerability that can result in untrusted code being called (if such code is
|
|
injected into the host project's scope by other means). If the `$patternselect` parameter to `validateAddress()` is set
|
|
to `'php'` (the default, defined by `PHPMailer::$validator`), and the global namespace contains a function called `php`,
|
|
it will be called in preference to the built-in validator of the same name. Mitigated in PHPMailer 6.5.0 by denying the
|
|
use of simple strings as validator function names. Recorded
|
|
as [CVE-2021-3603](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3603). Reported
|
|
by [Vikrant Singh Chauhan](mailto:vi@hackberry.xyz) via [huntr.dev](https://www.huntr.dev/).
|
|
|
|
PHPMailer versions 6.4.1 and earlier contain a possible remote code execution vulnerability through the `$lang_path`
|
|
parameter of the `setLanguage()` method. If the `$lang_path` parameter is passed unfiltered from user input, it can be
|
|
set to [a UNC path](https://docs.microsoft.com/en-us/dotnet/standard/io/file-path-formats#unc-paths), and if an attacker
|
|
is also able to persuade the server to load a file from that UNC path, a script file under their control may be
|
|
executed. This vulnerability only applies to systems that resolve UNC paths, typically only Microsoft Windows.
|
|
PHPMailer 6.5.0 mitigates this by no longer treating translation files as PHP code, but by parsing their text content
|
|
directly. This approach avoids the possibility of executing unknown code while retaining backward compatibility. This
|
|
isn't ideal, so the current translation format is deprecated and will be replaced in the next major release. Recorded
|
|
as [CVE-2021-34551](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-34551). Reported
|
|
by [Jilin Diting Information Technology Co., Ltd](https://listensec.com) via Tidelift.
|
|
|
|
PHPMailer versions between 6.1.8 and 6.4.0 contain a regression of the earlier CVE-2018-19296 object injection
|
|
vulnerability as a result
|
|
of [a fix for Windows UNC paths in 6.1.8](https://github.com/PHPMailer/PHPMailer/commit/e2e07a355ee8ff36aba21d0242c5950c56e4c6f9).
|
|
Recorded as [CVE-2020-36326](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-36326). Reported by Fariskhi
|
|
Vidyan via Tidelift. 6.4.1 fixes this issue, and also enforces stricter checks for URL schemes in local path contexts.
|
|
|
|
PHPMailer versions 6.1.5 and earlier contain an output escaping bug that occurs in `Content-Type`
|
|
and `Content-Disposition` when filenames passed into `addAttachment` and other methods that accept attachment names
|
|
contain double quote characters, in contravention of RFC822 3.4.1. No specific vulnerability has been found relating to
|
|
this, but it could allow file attachments to bypass attachment filters that are based on matching filename extensions.
|
|
Recorded as [CVE-2020-13625](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-13625). Reported by Elar Lang of
|
|
Clarified Security.
|
|
|
|
PHPMailer versions prior to 6.0.6 and 5.2.27 are vulnerable to an object injection attack by passing `phar://` paths
|
|
into `addAttachment()` and other functions that may receive unfiltered local paths, possibly leading to RCE. Recorded
|
|
as [CVE-2018-19296](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-19296).
|
|
See [this article](https://knasmueller.net/5-answers-about-php-phar-exploitation) for more info on this type of
|
|
vulnerability. Mitigated by blocking the use of paths containing URL-protocol style prefixes such as `phar://`. Reported
|
|
by Sehun Oh of cyberone.kr.
|
|
|
|
PHPMailer versions prior to 5.2.24 (released July 26th 2017) have an XSS vulnerability in one of the code
|
|
examples, [CVE-2017-11503](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11503). The `code_generator.phps`
|
|
example did not filter user input prior to output. This file is distributed with a `.phps` extension, so it it not
|
|
normally executable unless it is explicitly renamed, and the file is not included when PHPMailer is loaded through
|
|
composer, so it is safe by default. There was also an undisclosed potential XSS vulnerability in the default exception
|
|
handler (unused by default). Patches for both issues kindly provided by Patrick Monnerat of the Fedora Project.
|
|
|
|
PHPMailer versions prior to 5.2.22 (released January 9th 2017) have a local file disclosure
|
|
vulnerability, [CVE-2017-5223](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5223). If content passed
|
|
into `msgHTML()` is sourced from unfiltered user input, relative paths can map to absolute local file paths and added as
|
|
attachments. Also note that `addAttachment` (just like `file_get_contents`, `passthru`, `unlink`, etc) should not be
|
|
passed user-sourced params either! Reported by Yongxiang Li of Asiasecurity.
|
|
|
|
PHPMailer versions prior to 5.2.20 (released December 28th 2016) are vulnerable
|
|
to [CVE-2016-10045](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10045) a remote code execution
|
|
vulnerability, responsibly reported
|
|
by [Dawid Golunski](https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html),
|
|
and patched by Paul Buonopane (@Zenexer).
|
|
|
|
PHPMailer versions prior to 5.2.18 (released December 2016) are vulnerable
|
|
to [CVE-2016-10033](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10033) a remote code execution
|
|
vulnerability, responsibly reported
|
|
by [Dawid Golunski](http://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html).
|
|
|
|
PHPMailer versions prior to 5.2.14 (released November 2015) are vulnerable
|
|
to [CVE-2015-8476](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8476) an SMTP CRLF injection bug permitting
|
|
arbitrary message sending.
|
|
|
|
PHPMailer versions prior to 5.2.10 (released May 2015) are vulnerable
|
|
to [CVE-2008-5619](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5619), a remote code execution
|
|
vulnerability in the bundled html2text library. This file was removed in 5.2.10, so if you are using a version prior to
|
|
that and make use of the html2text function, it's vitally important that you upgrade and remove this file.
|
|
|
|
PHPMailer versions prior to 2.0.7 and 2.2.1 are vulnerable
|
|
to [CVE-2012-0796](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0796), an email header injection attack.
|
|
|
|
Joomla 1.6.0 uses PHPMailer in an unsafe way, allowing it to reveal local file paths, reported
|
|
in [CVE-2011-3747](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3747).
|
|
|
|
PHPMailer didn't sanitise the `$lang_path` parameter in `SetLanguage`. This wasn't a problem in itself, but some apps (
|
|
PHPClassifieds, ATutor) also failed to sanitise user-provided parameters passed to it, permitting semi-arbitrary local
|
|
file inclusion, reported
|
|
in [CVE-2010-4914](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4914), [CVE-2007-2021](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-2021)
|
|
and [CVE-2006-5734](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-5734).
|
|
|
|
PHPMailer 1.7.2 and earlier contained a possible DDoS vulnerability reported
|
|
in [CVE-2005-1807](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1807).
|
|
|
|
PHPMailer 1.7 and earlier (June 2003) have a possible vulnerability in the `SendmailSend` method where shell commands
|
|
may not be sanitised. Reported in [CVE-2007-3215](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-3215).
|
|
|