Future Hosting, a specialized VPS hosting and dedicated server hosting provider, has warned server administrators of a critical remote code execution vulnerability in PHPMailer – an email library used by the most popular PHP-based content management systems and frameworks.
It’s estimated that PHPMailer is installed on many hundreds of thousands of servers. The vulnerability was first disclosed in December, as reported by Threatpost. A patch was released to fix the vulnerability, but a workaround was quickly discovered. A second patch successfully mitigated the vulnerability, but Future Hosting is concerned that server administrators may not have applied the second patch, putting users and data at risk.
All versions of PHPMailer prior to version 5.2.20 are vulnerable. The first attempt to patch the vulnerability – PHPMailer 5.2.18 – did not successfully protect PHPMailer users, and a second update would be required.
“As a provider of managed server hosting, we have applied the most recent patch to all managed servers, but we’re concerned less experienced server administrators may not have made the necessary updates,” said Maulesh Patel, VP of Operations of Future Hosting. “Because PHPMailer is a dependency of many PHP-based applications, it may not be immediately apparent that PHPMailer is installed on a system. We want to raise awareness of the vulnerability to alert server administrators to the risk.”
PHPMailer is frequently used by leading PHP CMS’s and frameworks to send email in response to details collected from a web form, such as a contact form, an email submission form, or a support request form.
The vulnerability may allow an attacker to target these forms, submitting a carefully crafted sender address and email body. The body contains a PHP script, which, by embedding commands in the sender email address, an attacker can cause to be saved to the server’s filesystem. The attacker can then execute the saved script to exfiltrate data or install further malware.