Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLW0yOTgtZmg1Yy1qYzY2
Object injection in PHPMailer/PHPMailer
Impact
This is a reintroduction of an earlier issue (CVE-2018-19296) by an unrelated bug fix in PHPMailer 6.1.8. An external file may be unexpectedly executable if it is used as a path to an attachment file via PHP's support for .phar files`. Exploitation requires that an attacker is able to provide an unfiltered path to a file to attach, or to trick calling code into generating one. See this article for more info.
Patches
This issue was patched in the PHPMailer 6.4.1 release. This release also implements stricter filtering for attachment paths; paths that look like any kind of URL are rejected.
Workarounds
Validate paths to loaded files using the same pattern as used in isPermittedPath() before using them in any PHP file function, such as file_exists. This method can't be used directly because it is protected, but you can implement the same thing in calling code. Note that this should be applied to all user-supplied paths passed into such functions; it's not a problem specific to PHPMailer.
Credit
This issue was found by Fariskhi Vidyan, reported and managed via Tidelift.
Permalink: https://github.com/advisories/GHSA-m298-fh5c-jc66JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLW0yOTgtZmg1Yy1qYzY2
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 3 years ago
Updated: 10 months ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-m298-fh5c-jc66, CVE-2020-36326
References:
- https://github.com/PHPMailer/PHPMailer/security/advisories/GHSA-m298-fh5c-jc66
- https://nvd.nist.gov/vuln/detail/CVE-2020-36326
- https://github.com/PHPMailer/PHPMailer/commit/e2e07a355ee8ff36aba21d0242c5950c56e4c6f9
- https://lists.fedoraproject.org/archives/list/[email protected]/message/3B5WDPGUFNPG4NAZ6G4BZX43BKLAVA5B/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/KPU66INRFY5BQ3ESVPRUXJR4DXQAFJVT/
- https://github.com/FriendsOfPHP/security-advisories/blob/master/phpmailer/phpmailer/CVE-2020-36326.yaml
- https://github.com/PHPMailer/PHPMailer/releases/tag/v6.4.1
- https://github.com/advisories/GHSA-m298-fh5c-jc66
Blast Radius: 42.0
Affected Packages
packagist:phpmailer/phpmailer
Dependent packages: 1,306Dependent repositories: 19,318
Downloads: 70,062,547 total
Affected Version Ranges: >= 6.1.8, < 6.4.1
Fixed in: 6.4.1
All affected versions: 6.1.8, 6.2.0, 6.3.0, 6.4.0
All unaffected versions: 5.2.2, 5.2.4, 5.2.5, 5.2.6, 5.2.7, 5.2.8, 5.2.9, 5.2.10, 5.2.11, 5.2.12, 5.2.13, 5.2.14, 5.2.15, 5.2.16, 5.2.17, 5.2.18, 5.2.19, 5.2.20, 5.2.21, 5.2.22, 5.2.23, 5.2.24, 5.2.25, 5.2.26, 5.2.27, 5.2.28, 6.0.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.1.0, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.4.1, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.7.1, 6.8.0, 6.8.1, 6.9.0, 6.9.1, 6.9.2