====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN257
_____________________________________________________________________

DATE                : 04/05/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running PHPMailer versions prior to 6.4.1.

=====================================================================
https://github.com/PHPMailer/PHPMailer/security/advisories/GHSA-m298-fh5c-jc66
_____________________________________________________________________


Description


Impact

This is a reintroduction of an earlier issue (CVE-2018-19296) by an
unrelated bug fix in PHPMailer 6.1.8. An external file may be
unexpectedly executable if it is used as a path to an attachment file
via PHP's support for .phar files`. Exploitation requires that an
attacker is able to provide an unfiltered path to a file to attach, or
to trick calling code into generating one. See this article for more
info.


Patches

This issue was patched in the PHPMailer 6.4.1 release. This release also
implements stricter filtering for attachment paths; paths that look like
any kind of URL are rejected.


Workarounds

Validate paths to loaded files using the same pattern as used in
isPermittedPath() before using them in any PHP file function, such as
file_exists. This method can't be used directly because it is protected,
but you can implement the same thing in calling code. Note that this
should be applied to all user-supplied paths passed into such functions;
it's not a problem specific to PHPMailer.


Credit

This issue was found by Fariskhi Vidyan, reported and managed via
Tidelift.



=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================