PHPMailer Remote Code Execution
A new critical vulnerability in the PHPMailer library used by various popular PHP applications, including Drupal contrib modules, has been discovered and reported by Dawid Golunski
Note that it is a second report CVE-2016-10045 which renders existing fixes for CVE-2016-10033, included in PHPMailer 5.2.18 and 5.2.19 useless, while 5.2.20 is not released yet, as of December 28, 2016.
We have evaluated known attack vectors in the BOA context, and have determined that while there is very limited attack surface, thanks to the BOA default security measures (listed below), the threat is still serious, and you should take immediate action.
- Web server user has very limited capabilities in its virtual jail
- Drupal codebase and config files are not writable
- No alien PHP scripts can be executed, even if uploaded
- The system /tmp directory is not available for read/write
- System shell wrapper and strict permissions on binaries prevent escapes
Note that Postfix specific sendmail binary, used in BOA, ignores the -X argument (writing the output to log file), which is used in known exploits, which further limits the attack surface. Thanks mig5 for pointing this out
Does this mean that you can ignore PHPMailer vulnerability? Absolutely not! It is still possible that someone will create an exploit, which may still affect your Drupal website in an unknown way. This vulnerability may allow the attacker to write (and overwrite) files in your site’s files directory, which is always writable by your web server user. This means that even if the attacker couldn’t execute any PHP payload, could still delete, overwrite, or upload anything in your site’s files directories, both public and private.
!You should check and upgrade the PHPMailer library in all Drupal sites you host on BOA, as soon as PHPMailer 5.2.20 is available. BOA will not fix the problem for you, no matter if you are on hosted or self-hosted BOA, so it’s your responsibility to update your codebase as soon as possible.