Описание
SMTP Injection in PHPMailer
Impact
Attackers could inject arbitrary SMTP commands via by exploiting the fact that valid email addresses may contain line breaks, which are not handled correctly in some contexts.
Patches
Fixed in 5.2.14 in this commit.
Workarounds
Manually strip line breaks from email addresses before passing them to PHPMailer.
References
https://nvd.nist.gov/vuln/detail/CVE-2015-8476
For more information
If you have any questions or comments about this advisory:
- Open a private issue in the PHPMailer project
Ссылки
- https://github.com/PHPMailer/PHPMailer/security/advisories/GHSA-738m-f33v-qc2r
- https://nvd.nist.gov/vuln/detail/CVE-2015-8476
- https://github.com/PHPMailer/PHPMailer/commit/6687a96a18b8f12148881e4ddde795ae477284b0
- https://github.com/FriendsOfPHP/security-advisories/blob/master/phpmailer/phpmailer/CVE-2015-8476.yaml
- https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.14
- http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177130.html
- http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177139.html
- http://www.debian.org/security/2015/dsa-3416
- http://www.openwall.com/lists/oss-security/2015/12/04/5
- http://www.openwall.com/lists/oss-security/2015/12/05/1
- http://www.securityfocus.com/bid/78619
Пакеты
phpmailer/phpmailer
>= 5.0.0, < 5.2.14
5.2.14
Связанные уязвимости
Multiple CRLF injection vulnerabilities in PHPMailer before 5.2.14 allow attackers to inject arbitrary SMTP commands via CRLF sequences in an (1) email address to the validateAddress function in class.phpmailer.php or (2) SMTP command to the sendCommand function in class.smtp.php, a different vulnerability than CVE-2012-0796.
Multiple CRLF injection vulnerabilities in PHPMailer before 5.2.14 allow attackers to inject arbitrary SMTP commands via CRLF sequences in an (1) email address to the validateAddress function in class.phpmailer.php or (2) SMTP command to the sendCommand function in class.smtp.php, a different vulnerability than CVE-2012-0796.
Multiple CRLF injection vulnerabilities in PHPMailer before 5.2.14 all ...
Уязвимости операционной системы Debian GNU/Linux, позволяющие нарушителю внедрить произвольные SMTP-команды