Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

PHPMailer CVE-2016-10033

Discussion in 'Security' started by ciao70, Dec 26, 2016.

  1. ciao70

    ciao70 Member

    Joined:
    Nov 3, 2006
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    151
    Hi,

    PHPMailer CVE-2016-10033 (Critical)

    legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html

    github.com/PHPMailer/PHPMailer/blob/master/SECURITY.md
     
    #1 ciao70, Dec 26, 2016
    Last edited by a moderator: Dec 26, 2016
  2. EneTar

    EneTar Well-Known Member

    Joined:
    Dec 19, 2015
    Messages:
    71
    Likes Received:
    2
    Trophy Points:
    8
    Location:
    Greece
    cPanel Access Level:
    Root Administrator
    Is there any way to find which applications on the server are affected by this vulnerability, to shut them down until a patch is provided?
     
  3. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    334
    Likes Received:
    95
    Trophy Points:
    28
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    The following link will provide you with a variety of results that may be applicable to your installed applications.

    how do i find out if i use phpmailer - Google Search

    You may be able to extrapolate some common code, and use it to grep your hosting folders (don't forget that some applications/files may be stored outside of the web root)
     
  4. EneTar

    EneTar Well-Known Member

    Joined:
    Dec 19, 2015
    Messages:
    71
    Likes Received:
    2
    Trophy Points:
    8
    Location:
    Greece
    cPanel Access Level:
    Root Administrator
    Code:
    find /home/ -name 'class.phpmailer.php' -print -exec grep -ni '%s["'\''], $this->Sender' {} \;
    could be a starting point
    or command for finding vulnerable files and line of code
    gist.github.com/cebe/d0f5631b432c520a2e6f6be8beddf116
     
    #4 EneTar, Dec 27, 2016
    Last edited by a moderator: Dec 27, 2016
  5. ifastnet

    ifastnet Registered

    Joined:
    Dec 27, 2016
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    uk
    cPanel Access Level:
    Root Administrator
    this exploit looks to easy to trigger, i'd guess its weaponized already !

    FYI the file names change between different scripts for example

    class-phpmailer.php => wordpress
    phpmailer.php => Joomla
    class.phpmailer.php => whmcs

    So just looking for a filename is not a good solution.

    took us 2 hours to cut together, test and deploy a script that updated phpmailer on all clients sites,,,, get your scripting heads on dudes !
     
  6. Domenico

    Domenico Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    363
    Likes Received:
    0
    Trophy Points:
    316
    Care to share this script?
     
  7. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    334
    Likes Received:
    95
    Trophy Points:
    28
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    Another critical security update:

    If you patched or updated to 5.2.18 to fix CVE-2016-10033, you should update again to at least 5.2.20 to address CVE-2016-10045

    This advisory is rated CRITICAL and Patch Now
     
  8. caroseuk

    caroseuk Member

    Joined:
    Aug 4, 2015
    Messages:
    24
    Likes Received:
    5
    Trophy Points:
    3
    Location:
    United kingdom
    cPanel Access Level:
    Root Administrator
  9. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    334
    Likes Received:
    95
    Trophy Points:
    28
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    PHPMailer is a script used by many php applications.

    Joomla, Wordpress and WHMCS are all examples of scripts that use it in one form or another.

    As such, the vulnerability/exploit is not confined to cPanel servers, but rather to any server that hosts a php application containing the unpatched code.

    Some application packages like WHMCS have already issued patches in the form of updates, others are advising us that their particular implementation of the phpmailer class is not vulnerable, whilst others recommend one carefully checks any add-ons or 3rd party modules for their own updates.

    If you are worried about your applications, you can patch the file manually, either from the diffs, or by replacing it with up-to-date files from GitHub - PHPMailer/PHPMailer: The classic email sending library for PHP

    Remember this is not just an isolated case, it highlights the importance of being ever vigilant, and ensuring that all scripts that run on your server are patched to the latest version, and that any that are no longer supported and have been abandoned by their developers are either sandboxed or preferably deleted.
     
  10. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,425
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    I'd like to clarify for anyone browsing this thread for the first time that this vulnerability does not affect the cPanel/WHM product itself. It's specifically related to the PHPMailer class, which is not included in cPanel/WHM.

    That said, some third-party applications offered as cPAddons (e.g. WordPress) do include PHPMailer and may be vulnerable to CVE-2016-10045.

    It is recommended that any and all PHPMailer class installations are updated to a minimum of version 5.2.20. This is outlined in the following third-party links:

    Critical security update: PHPMailer 5.2.20 (CVE-2016-10045) - SANS Internet Storm Center
    About the CVE 2016 10033 and CVE 2016 10045 vulnerabilities PHPMailer/PHPMailer Wiki · GitHub

    Thank you.
     
Loading...

Share This Page