GHSA-M298-FH5C-JC66

Vulnerability from github – Published: 2021-05-04 17:42 – Updated: 2021-05-10 19:27
VLAI?
Summary
Object injection in PHPMailer/PHPMailer
Details

Impact

This is a reintroduction of an earlier issue (CVE-2018-19296) by an unrelated bug fix in PHPMailer 6.1.8. An external file may be unexpectedly executable if it is used as a path to an attachment file via PHP's support for .phar files`. Exploitation requires that an attacker is able to provide an unfiltered path to a file to attach, or to trick calling code into generating one. See this article for more info.

Patches

This issue was patched in the PHPMailer 6.4.1 release. This release also implements stricter filtering for attachment paths; paths that look like any kind of URL are rejected.

Workarounds

Validate paths to loaded files using the same pattern as used in isPermittedPath() before using them in any PHP file function, such as file_exists. This method can't be used directly because it is protected, but you can implement the same thing in calling code. Note that this should be applied to all user-supplied paths passed into such functions; it's not a problem specific to PHPMailer.

Credit

This issue was found by Fariskhi Vidyan, reported and managed via Tidelift.

Severity ?
9.8 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "phpmailer/phpmailer"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.1.8"
            },
            {
              "fixed": "6.4.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-36326"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502",
      "CWE-641"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-04-30T19:41:24Z",
    "nvd_published_at": "2021-04-28T03:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\nThis is a reintroduction of an earlier issue (CVE-2018-19296) by an unrelated bug fix in PHPMailer 6.1.8.  An external file may be unexpectedly executable if it is used as a path to an attachment file via PHP\u0027s support for `.phar` files`. Exploitation requires that an attacker is able to provide an unfiltered path to a file to attach, or to trick calling code into generating one. See [this article](https://knasmueller.net/5-answers-about-php-phar-exploitation) for more info.\n\n### Patches\nThis issue was patched in the PHPMailer 6.4.1 release. This release also implements stricter filtering for attachment paths; paths that look like *any* kind of URL are rejected.\n\n### Workarounds\nValidate paths to loaded files using the same pattern as used in [`isPermittedPath()`](https://github.com/PHPMailer/PHPMailer/blob/master/src/PHPMailer.php#L1815) before using them in *any* PHP file function, such as `file_exists`. This method can\u0027t be used directly because it is protected, but you can implement the same thing in calling code. Note that this should be applied to *all* user-supplied paths passed into such functions; it\u0027s not a problem specific to PHPMailer.\n\n### Credit\nThis issue was found by Fariskhi Vidyan, reported and managed via Tidelift.",
  "id": "GHSA-m298-fh5c-jc66",
  "modified": "2021-05-10T19:27:44Z",
  "published": "2021-05-04T17:42:13Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/PHPMailer/PHPMailer/security/advisories/GHSA-m298-fh5c-jc66"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36326"
    },
    {
      "type": "WEB",
      "url": "https://github.com/PHPMailer/PHPMailer/commit/e2e07a355ee8ff36aba21d0242c5950c56e4c6f9"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/phpmailer/phpmailer/CVE-2020-36326.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/PHPMailer/PHPMailer/releases/tag/v6.4.1"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3B5WDPGUFNPG4NAZ6G4BZX43BKLAVA5B"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KPU66INRFY5BQ3ESVPRUXJR4DXQAFJVT"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Object injection in PHPMailer/PHPMailer"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.