PHPMailer is vulnerable to remote code execution (RCE) attacks. A malicious user can inject and execute arbitrary code by passing extra parameters to the mail command. This is due to the improper interaction with the libraryβs escapeshellarg
function and internal escaping function performed in PHP. This is a fix for CVE-2016-10033 which was fixed incorrectly.
openwall.com/lists/oss-security/2016/12/28/1
packetstormsecurity.com/files/140286/PHPMailer-Remote-Code-Execution.html
packetstormsecurity.com/files/140350/PHPMailer-Sendmail-Argument-Injection.html
seclists.org/fulldisclosure/2016/Dec/81
www.rapid7.com/db/modules/exploit/multi/http/phpmailer_arg_injection
www.securityfocus.com/archive/1/539967/100/0/threaded
www.securityfocus.com/bid/95130
www.securitytracker.com/id/1037533
developer.joomla.org/security-centre/668-20161205-phpmailer-security-advisory.html
github.com/PHPMailer/PHPMailer/issues/924
github.com/PHPMailer/PHPMailer/pull/929
github.com/PHPMailer/PHPMailer/releases/tag/v5.2.20
github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities
legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html
www.exploit-db.com/exploits/40969/
www.exploit-db.com/exploits/40986/
www.exploit-db.com/exploits/42221/