[Security] PHPMailer vulnerability: CVE-2016-10033

Refers to:

  • Plesk

Created:

2016-12-27 12:59:38 UTC

Modified:

2017-02-26 16:30:45 UTC

7

Was this article helpful?


Have more questions?

Submit a request

[Security] PHPMailer vulnerability: CVE-2016-10033

Overview

An independent research uncovered a critical vulnerability in PHPMailer that could potentially be used by (unauthenticated) remote attackers to achieve remote arbitrary code execution in the context of the web server user and remotely compromise the target web application.

To exploit the vulnerability, an attacker could target common website components, such as contact/feedback forms, registration forms, password email resets and others that send out emails with the help of a vulnerable version of the PHPMailer class.

Note: Roundcube, Horde and Mailman are not affected by this vulnerability.

Resolution

This vulnerability has been patched in PHPMailer 5.2.18. All versions of PHPMailer before the critical release of PHPMailer 5.2.18 are affected, it is strongly recommended to update to the patched release.

Plesk itslef does not use PHPMailer, however, many web-applications, like WordPress, Drupal, 1CRM, SugarCRM, Yii, and Joomla use PHPMailer library for sending emails.

Here are vulnerability statuses for the most popular applications:

- Wordpress

Critical Vulnerability in PHPMailer. Affects WP Core. 

WordPress 4.7.1 with security fixes is released.

APS package provided by Plesk was updated to 4.7.1: https://dev.apsstandard.org/apps/1.2/wordpress.org/WordPress/Plesk/.

- Drupal

Drupal core is not affected. If PHPMailer is not being used as a 3rd-party library, there is nothing to do.

However, if there are Drupal modules installed which use PHPMailer, update it to version 5.2.18 or higher as soon as possible. Please check PHPmailer 3rd party library -- DRUPAL-SA-PSA-2016-004 for the details.

- Joomla

No action is required for Joomla users. The updated library will be included to the next scheduled release and additional mechanisms exist in Joomla core to prevent triggering the vulnerability.

If Joomla extensions are using PHPMailer, it has to be updated to version 5.2.18 or higher.

Check [20161205] - PHPMailer Security Advisory for the details.

- Moodle

Moodle contains vulnerable PHPMailer 5.2.14 (in Moodle 3.1.3-83 packaged by Plesk) or 5.2.16 (in Moodle 3.2) - PHPMailer vulnerability has been reported - [CVE-2016-10033] PHPMailer < 5.2.18 Remote Code Execution

Moodle 3.2.1 and 3.1.4 with security fixes is released.

APS package provided by Plesk was updated to 3.1.4: https://dev.apsstandard.org/apps/1.2/moodle.org/moodle/Plesk/

Have more questions? Submit a request
Please sign in to leave a comment.