[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FD] PHPMailer < 5.2.18 Remote Code Execution [CVE-2016-10033]

To: fulldisclosure@xxxxxxxxxxxx
Subject: Re: [FD] PHPMailer < 5.2.18 Remote Code Execution [CVE-2016-10033]
From: Luigi Rosa <lists@xxxxxxxxxxxxx>
Date: Tue, 27 Dec 2016 11:22:44 +0100

Dawid Golunski wrote on 26/12/2016 03:31:

Patching:
Responsibly disclosed to PHPMailer team.
They've released a critical security release.
If you are using an affected release update to the 5.2.18 security
release as advised at:
https://github.com/PHPMailer/PHPMailer/blob/master/changelog.md

Am I wrong or the vulnerability only applies if you use the sendmail method tosend messages and does not apply if you use SMTP on port 25?

I have patched all my PHPMailer installation yesterday, I am asking this onlyfor personal curiosity.


Thank you

--


Ciao,
luigi

/
+--[Luigi Rosa]--
\

http://127.0.0.1
Error 404: No One Home

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

References:
- [FD] PHPMailer < 5.2.18 Remote Code Execution [CVE-2016-10033]
  - From: Dawid Golunski

Prev by Date: Re: [FD] [RT-SA-2016-001] Padding Oracle in Apache mod_session_crypto
Next by Date: [FD] Executable installers are vulnerable^WEVIL (case 42): SoftMaker's FreeOffice installer allows escalation of privilege
Previous by thread: [FD] PHPMailer < 5.2.18 Remote Code Execution [CVE-2016-10033]
Next by thread: [FD] PHPMailer < 5.2.18 Remote Code Execution [updated advisory] [CVE-2016-10033]
Index(es):
- Date
- Thread