Titles like “Critical PHPMailer Flaw leaves Millions of Websites Vulnerable to Remote Exploit” or “PHPMailer Bug Leaves Millions of Websites Open to Attack” are great if you’re looking for clicks. However, when you take a closer look, you’ll see that these aren’t exactly accurate.
Blast radius of phpmailer was greatly hyped by bug author: requires app to use fairly sophisticated mail address validation (or none at all)— Kenn White (@kennwhite) December 27, 2016
Here, I’ll take a level-headed look at recent vulnerabilities found in PHPMailer, CVE-2016-10033 and CVE-2016-10045.
The vulnerability has caused quite the stir because the rampant usage of the PHPMailer library.
The first line in the advisory for CVE-2016-10033 states…
PHPMailer continues to be the world’s most popular transport class, with an estimated 9 million users worldwide. Downloads continue at a significant pace daily.
Then it goes on…
Probably the world’s most popular code for sending email from PHP! Used by many open-source projects: WordPress, Drupal, 1CRM, SugarCRM, [..], Joomla! and many more
This background could be interpreted to mean that anyone running these platforms is currently vulnerable to this exploit.
Unfortunately, “anyone” is a bit of an overstatement.
The “About the CVE 2016 10033 and CVE 2016 10045 vulnerabilities” from the PHPMailer wiki lays out the requirements for for this vulnerability to be exploited. Essentially…
setFromcan be set to
falsewhich will allow the sender to be safely set from user input (but please don’t).
isMail()transport (which is the default). Delivery via SMTP is not vulnerable.
-Xflag. That being said you can still inject other flags which attackers may find other ways to take advantage of.
A lead WordPress developer has stated the following…
Presently, WordPress Core (and as a result, anything utilising
wp_mail()) are unaffected by the recent disclosures, the vulnerabilities require the usage of a PHPMailer feature which WordPress &
wp_mail()does not use.
Older versions look like they may be vulnerable for forms configured to use user input to set the from address which looks to be a standard feature in contact form plugins.
Drupal core is not affected.
However, similar to WordPress, 3rd party modules are the concern.
Drupal installations are not vulnerable to the PHPMailer CVE-2016-10033 UNLESS they have a module that uses that 3rd party library.— Drupal Security (@drupalsecurity) December 26, 2016
I haven’t looked at any of the other platforms at this point.
The bottom line is that, while you should definitely upgrade PHPMailer as soon as possible (there will certainly be successful exploits on unpatched sites), some of the language being used to describe this vulnerability is a bit exaggerated.
If you have any questions or comments, feel free to drop a note below, or, as always, you can reach me on Twitter as well.
Did you enjoy this blog post?
If so, please consider checking out my side project Domain Clamp. It's a SaaS which monitors domains and SSL certificates and sends notifications before anything expires. If you work at an agency, then you're probably not the registrant for your client's domains or the SSL certificate owner. This means you won't get expiration notifications. You don't want a client's domain or SSL certificate to expire under your watch. Believe me, I've been there.
Domain Clamp solves this problem by letting you monitor the SSL certificate and registration for any domain you'd damn please. Free accounts are available so please head on over »