Experts have determined that the remote code execution vulnerabilities affecting the PHPMailer and SwiftMailer email-sending libraries are caused by PHP design flaws.
Researcher Dawid Golunski from Legal Hackers recently discovered that PHPMailer has a critical flaw that can be exploited by a remote, unauthenticated attacker for arbitrary code execution in the context of the web server user. The weakness, exploitable by submitting specially crafted input through contact and registration forms, can allow an attacker to completely take over the targeted web application.
PHPMailer developers attempted to patch the vulnerability (CVE-2016-10033) with the release of version 5.2.18. However, Golunski determined that the fix could be bypassed. The new flaw (CVE-2016-10045) was patched on December 28 with the release of version 5.2.20.
In the meantime, the researcher found the same security hole in the SwiftMailer library (CVE-2016-10074). SwiftMailer developers included a fix for the vulnerability in version 5.4.5, released on December 29, but it may not be complete either.
Researcher Paul Buonopane believes that CVE-2016-10033, CVE-2016-10045 and CVE-2016-10074 are just the tips of the iceberg as they are caused by PHP design flaws that could expose many applications.
The issues, according to Buonopane, revolve around the lack of proper input sanitization, particularly related to the PHP functions escapeshellarg and escapeshellcmd. escapeshellcmd is designed to escape characters that might be used to trick a shell command into executing arbitrary commands, while escapeshellarg escapes a string that will be used as a shell argument.
Buonopane has pointed out that the escapeshellarg function is incomplete and escapeshellcmd was never meant to sanitise user input, which leaves room for abuse. The expert said PHP developers have known about some of the issues surrounding the problematic functions for several years.
“The underlying vulnerability is really a design flaw and will take many years to fix. That cannot begin without the active participation of the greater PHP community,” Buonopane said.
Both PHPMailer and SwiftMailer are very popular. PHPMailer is used by projects such as WordPress, Drupal and Joomla, while the SwiftMailer library is leveraged by PHP frameworks such as Yii2, Laravel and Symfony. While disclosures have focused on PHPMailer and SwiftMailer, Buonopane believes nearly all other PHP email libraries are affected by these vulnerabilities.