This article is more than 1 year old
Hate 'contact us' forms? This PHPmailer zero day will drop shell in sender
Borked patch opens remote code execution on web servers
Websites using PHPMailer for forms are at risk from a critical-rated remote code execution zero day bug.
Legal Hackers researcher Dawid Golunski found the vulnerability (CVE-2016-10074) in the much-used library, found in the world's most popular content management systems and addons.
The bug also affects the Zend Mailer and SwiftMailer .
A patch was issued for the vulnerability but it can be bypassed, Golunski says, reopening the avenue for attack.
Golunski created a limited proof-of-concept exploit and a video demonstrating how attackers can gain remote code execution.
Only some sites are exposed; Attackers can have shell commands executed on web servers using an email sender address field which is uncommon on web forms, with most offering a box for the user's own email address.
That rules out Joomla! among other content management systems. Its developers say the core API does not permit the sender address to be set but extensions may do, rendering those sites which use them to be vulnerable.
It also strikes out Drupal for the same reasons. Developers of that content management system issued a public announcement warning of the bug given its "extreme criticality".
Administrators must manually check all implementations of PHPMailer to limit for exposure until a full patch is issued. ®