CVE-2016-10033
CVE-2016-10033
In short
PHPMailer's email sending function has a flaw that allows attackers to inject extra commands into the mail system by using a special character sequence in the sender field, potentially running malicious code on the server.
Technical detail
The mailSend function in PHPMailer's isMail transport fails to properly sanitize the Sender property, allowing an attacker to inject arbitrary parameters to the underlying mail() command via backslash-escaped quotes. This enables arbitrary code execution on systems using affected versions (before 5.2.18) where an attacker can control or influence the Sender field.
Summary generated and translated by AI from the official description.
The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted Sender property.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
n/a · n/apublic PoCs found — 38
githubgithub.com/opsxcq/exploit-CVE-2016-10033★ 408githubgithub.com/GeneralTesler/CVE-2016-10033★ 9githubgithub.com/Zenexer/safeshell★ 8githubgithub.com/0x00-0x00/CVE-2016-10033★ 6githubgithub.com/pedro823/cve-2016-10033-45★ 2githubgithub.com/awidardi/opsxcq-cve-2016-10033★ 1githubgithub.com/j4k0m/CVE-2016-10033★ 1githubgithub.com/chipironcin/CVE-2016-10033★ 1githubgithub.com/liusec/WP-CVE-2016-10033★ 1githubgithub.com/alexander47777/CVE-2016-10033★ 0githubgithub.com/ElnurBDa/CVE-2016-10033★ 0githubgithub.com/CAOlvchonger/CVE-2016-10033★ 0githubgithub.com/zeeshanbhattined/exploit-CVE-2016-10033★ 0githubgithub.com/cved-sources/cve-2016-10033★ 0githubgithub.com/Bajunan/CVE-2016-10033★ 0githubgithub.com/qwertyuiop12138/CVE-2016-10033★ 0githubgithub.com/Astrowmist/POC-CVE-2016-10033★ 0githubgithub.com/sealldeveloper/CVE-2016-10033-PoC★ 0exploitdbwww.exploit-db.com/exploits/40986unverifiedexploitdbwww.exploit-db.com/exploits/42024unverifiedexploitdbwww.exploit-db.com/exploits/42221unverifiedcve_referencepacketstormsecurity.com/files/140291/PHPMailer-Remote-Code-Execution.htmlunverifiedcve_referencepacketstormsecurity.com/files/140350/PHPMailer-Sendmail-Argument-Injection.htmlunverifiedcve_referencewww.exploit-db.com/exploits/40968/unverifiedcve_referencewww.exploit-db.com/exploits/40969/unverifiedcve_referencewww.exploit-db.com/exploits/40970/unverifiedcve_referencewww.exploit-db.com/exploits/40974/unverifiedcve_referencewww.exploit-db.com/exploits/40986/unverifiedcve_referencewww.exploit-db.com/exploits/41962/unverifiedcve_referencewww.exploit-db.com/exploits/41996/unverifiedcve_referencewww.exploit-db.com/exploits/42024/unverifiedcve_referencewww.exploit-db.com/exploits/42221/unverifiedexploitdbwww.exploit-db.com/exploits/41962unverifiedexploitdbwww.exploit-db.com/exploits/41996unverifiedexploitdbwww.exploit-db.com/exploits/40968unverifiedexploitdbwww.exploit-db.com/exploits/40970unverifiedexploitdbwww.exploit-db.com/exploits/40974unverifiedexploitdbwww.exploit-db.com/exploits/40969unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
http://packetstormsecurity.com/files/140291/PHPMailer-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/140350/PHPMailer-Sendmail-Argument-Injection.htmlhttps://developer.joomla.org/security-centre/668-20161205-phpmailer-security-advisory.htmlhttp://seclists.org/fulldisclosure/2016/Dec/78https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.18https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilitieshttps://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.htmlhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-10033https://www.drupal.org/psa-2016-004https://www.exploit-db.com/exploits/40968/https://www.exploit-db.com/exploits/40969/https://www.exploit-db.com/exploits/40970/