CVE-2016-10033

NameCVE-2016-10033
DescriptionThe mailSend function in the isMail transport in PHPMailer before 5.2.18, when the Sender property is not set, might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted From address.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-770-1, DSA-3750-1
NVD severitymedium (attack range: remote)
Debian Bugs849365

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libphp-phpmailer (PTS)wheezy5.1-1.1vulnerable
wheezy (security)5.1-1.3fixed
jessie (security), jessie5.2.9+dfsg-2+deb8u3fixed
stretch, sid5.2.14+dfsg-2.2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libphp-phpmailersource(unstable)5.2.14+dfsg-2.1medium849365
libphp-phpmailersourcejessie5.2.9+dfsg-2+deb8u2mediumDSA-3750-1
libphp-phpmailersourcewheezy5.1-1.2mediumDLA-770-1

Notes

https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html
Fixed by: https://github.com/PHPMailer/PHPMailer/commit/4835657cd639fbd09afd33307cef164edf807cdc#diff-ace81e501931d8763b49f2410cf3094dR1449
Fix potentially incomplete, cf http://www.openwall.com/lists/oss-security/2016/12/28/1
When updating libphp-phpmailer for CVE-2016-10033 make sure to apply the
complete patch to not make libphp-phpmailer affected by CVE-2016-10045.
https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html
Needs followup: https://github.com/PHPMailer/PHPMailer/commit/9743ff5c7ee16e8d49187bd2e11149afb9485eae
Another followup: https://github.com/PHPMailer/PHPMailer/commit/833c35fe39715c3d01934508987e97af1fbc1ba0

Search for package or bug name: Reporting problems