Описание
PHPMailer Shell command injection
PHPMailer before 1.7.4, when configured to use sendmail, allows remote attackers to execute arbitrary shell commands via shell metacharacters in the SendmailSend function in class.phpmailer.php.
Impact
Shell command injection, remotely exploitable if host application does not filter user data appropriately.
Patches
Fixed in 1.7.4
Workarounds
Filter and validate user-supplied data before putting in the into the Sender property.
References
https://nvd.nist.gov/vuln/detail/CVE-2007-3215
For more information
If you have any questions or comments about this advisory:
- Open a private issue in the PHPMailer project
Ссылки
- https://github.com/PHPMailer/PHPMailer/security/advisories/GHSA-6h78-85v2-mmch
- https://cxsecurity.com/issue/WLB-2007060063
- https://exchange.xforce.ibmcloud.com/vulnerabilities/34818
- https://seclists.org/fulldisclosure/2011/Oct/223
- https://sourceforge.net/p/phpmailer/bugs/192
- https://web.archive.org/web/20070714054359/http://larholm.com/2007/06/11/phpmailer-0day-remote-execution
- https://yehg.net/lab/pr0js/advisories/%5BvTiger_5.2.1%5D_rce
Пакеты
phpmailer/phpmailer
< 1.7.4
1.7.4
EPSS
CVE ID
Связанные уязвимости
PHPMailer 1.7, when configured to use sendmail, allows remote attackers to execute arbitrary shell commands via shell metacharacters in the SendmailSend function in class.phpmailer.php.
PHPMailer 1.7, when configured to use sendmail, allows remote attackers to execute arbitrary shell commands via shell metacharacters in the SendmailSend function in class.phpmailer.php.
PHPMailer 1.7, when configured to use sendmail, allows remote attacker ...
EPSS