Hi Everyone! If you currently have a website written in PHP, it is VERY important for you to read this post.
Recently, a flaw was disclosed by researcher Dawid Golunski of Legal Hackers. This flaw which could be used by an unauthenticated remote attackers to achieve remote arbitrary code execution in the context of a web server, could be used to remotely compromise targeted web applications.
PHPMailer is a popular component used by an estimated 9 million sites for handing tasks such as email submission and registration forms. The vulnerability, (CVE-2016-10033) allows an attacker to target contact/feedback forms/registration forms, and other web pages that send email messages to users, allowing the attacker to execute arbitrary remote commands on the affected server, gaining them access to anything the webserver has access to. If the webserver runs as a “privileged user” this could even include your password files, and give the attacker “root access” to your machine.
While at the posting of this blog, there were no proof of concept hacks posted for known environments, at least one internet user has posted an example of how a simple form can be exploited in a test environment.
So please, everyone take this seriously. If you run custom code, search for files with the name phpmailer (ex: smtp.phpmailer.class). If you have shell access, you can do this by installing mlocate, doing an “updatedb” and then “locate phpmailer” and searching through those results.
If you use WordPress or another framework or CMS, then PLEASE make sure to watch the releases/updates page for said software and apply any patches as soon as they show up. If you are a QnEZ customer and used our Installatron installer for installing WordPress, Installatron will do the critical update for you.
Just as a note, while there are some Drupal modules that use the affected PHPMailer class, the Drupal SMTP module (most commonly used) is NOT affected as they use a custom version of PHPMailer in their code.