SAINT CorporationSAINT:168BCB5A394D0A06D0B8CCA481D4C5C5Swift Mailer PwnScriptum Command Injection
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.944 High
EPSS
Percentile
99.2%
Added: 01/17/2017
BID: 95140
Background
Swift Mailer is a component-based library used for sending email from PHP. It is used by many PHP programming frameworks, e.g., Yii2, Laraval, and Symfony.
Problem
Swift Mailer library mail transport (Swift_Transport_MailTransport) is vulnerable to command injection due to failure to properly sanitize the “From”, “ReturnPath” and “Sender” headers.
Resolution
Upgrade to Swift Mailer 5.4.5 or higher.
References
<http://pwnscriptum.com/>
<https://legalhackers.com/advisories/SwiftMailer-Exploit-Remote-Code-Exec-CVE-2016-10074-Vuln.html>
<https://www.exploit-db.com/exploits/40986/>
Limitations
Exploit works on Swift Mailer before 5.4.5.
Exploit targets a common web application component: a contact form. The contact form action parameter value and field names must match the specified value/field names (e.g., send/name/email/msg).
There must be a web-user writable directory under the web application directory.
Related
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.944 High
EPSS
Percentile
99.2%