==================================================================== CERT-Renater Note d'Information No. 2021/VULN333 _____________________________________________________________________ DATE : 18/06/2021 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running PHPMailer versions prior to 6.5.0. ===================================================================== https://github.com/PHPMailer/PHPMailer/security/advisories/GHSA-7q44-r25x-wm4q https://github.com/PHPMailer/PHPMailer/security/advisories/GHSA-77mr-wc79-m8j3 _____________________________________________________________________ Remote Code Execution vulnerability in PHPMailer 6.4.1 running on Windows moderate Synchro published GHSA-7q44-r25x-wm4q Jun 16, 2021 Package phpmailer/phpmailer (composer) Affected versions <6.5.0 Patched versions 6.5.0 Description PHPMailer 6.4.1 contains a possible remote code execution vulnerability through the $lang_path parameter of the setLanguage() method. If the $lang_path parameter is passed unfiltered from user input, it can be set to a UNC path, and if an attacker is also able to create a remote mount on the server that the UNC path points to, a script file under their control may be executed. Impact Arbitrary code may be run by a remote attacker under the web server or PHP process running on Window hosts. Patches Mitigated in PHPMailer 6.5.0 by no longer treating translation files as PHP code, but by parsing their text content directly. This approach avoids the possibility of executing unknown code while retaining backward compatibility. This isn't ideal, so the current translation format is deprecated and will be replaced in the next major release. Workarounds Any of: Ensure that calling code does not pass unfiltered user-supplied data to the $lang_path parameter of the setLanguage() method. Block or filter the use of unknown UNC paths in this parameter (or altogether). Ensure that unauthorised users do not have the ability to read from unknown remote servers via UNC paths. Run on an OS that does not support UNC paths References CVE-2021-34551. Reported by listensec.com via Tidelift. For more information If you have any questions or comments about this advisory: Open an issue in PHPMailer Email the maintainers _____________________________________________________________________ A validation function with the same name as a built-in validator can be called low Synchro published GHSA-77mr-wc79-m8j3 Jun 16, 2021 Package phpmailer/phpmailer (composer) Affected versions <6.5.0 Patched versions 6.5.0 Description If a function is defined that has the same name as the default built-in email address validation scheme (php), it will be called in default configuration as when no validation scheme is provided, the default scheme's callable php was being called. If an attacker is able to inject such a function into the application (a much bigger issue), it will be called whenever an email address is validated, such as when calling validateAddress(). Impact Low impact – exploitation requires that an attacker can already inject code into an application, but it provides a trigger pathway. Patches This is patched in PHPMailer 6.5.0 by denying the use of simple strings as validator function names, which is a very minor BC break. Workarounds Inject your own email validator function. References Reported by Vikrant Singh Chauhan via huntr.dev. CVE-2021-3603 For more information If you have any questions or comments about this advisory: Open an issue in the PHPMailer project Email us. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================