Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

Serious PHP Issues Revealed by Flaws in PHPMailer, SwiftMailer

Experts have determined that the remote code execution vulnerabilities affecting the PHPMailer and SwiftMailer email-sending libraries are caused by PHP design flaws.

Experts have determined that the remote code execution vulnerabilities affecting the PHPMailer and SwiftMailer email-sending libraries are caused by PHP design flaws.

Researcher Dawid Golunski from Legal Hackers recently discovered that PHPMailer has a critical flaw that can be exploited by a remote, unauthenticated attacker for arbitrary code execution in the context of the web server user. The weakness, exploitable by submitting specially crafted input through contact and registration forms, can allow an attacker to completely take over the targeted web application.

PHPMailer developers attempted to patch the vulnerability (CVE-2016-10033) with the release of version 5.2.18. However, Golunski determined that the fix could be bypassed. The new flaw (CVE-2016-10045) was patched on December 28 with the release of version 5.2.20.

In the meantime, the researcher found the same security hole in the SwiftMailer library (CVE-2016-10074). SwiftMailer developers included a fix for the vulnerability in version 5.4.5, released on December 29, but it may not be complete either.

Researcher Paul Buonopane believes that CVE-2016-10033, CVE-2016-10045 and CVE-2016-10074 are just the tip of the iceberg as they are caused by PHP design flaws that could expose many applications.

The issues, according to Buonopane, revolve around the lack of proper input sanitization, particularly related to the PHP functions escapeshellarg and escapeshellcmd. escapeshellcmd is designed to escape characters that might be used to trick a shell command into executing arbitrary commands, while escapeshellarg escapes a string that will be used as a shell argument.

Buonopane has pointed out that the escapeshellarg function is incomplete and escapeshellcmd was never meant to sanitize user input, which leaves room for abuse. The expert said PHP developers have known about some of the issues surrounding the problematic functions for several years.

“The underlying vulnerability is really a design flaw and will take many years to fix. That cannot begin without the active participation of the greater PHP community,” Buonopane said.

Both PHPMailer and SwiftMailer are very popular. PHPMailer is used by projects such as WordPress, Drupal and Joomla, while the SwiftMailer library is leveraged by PHP frameworks such as Yii2, Laravel and Symfony. While disclosures have focused on PHPMailer and SwiftMailer, Buonopane believes nearly all other PHP email libraries are affected by these vulnerabilities.

The expert has been in touch with the WordPress team – he noted that popular WordPress plugins with more than one million installs expose the vulnerability. Joomla has published an advisory for the issue and has promised to include a patched version of PHPMailer in the upcoming Joomla 3.7 release.

Until the issues are resolved properly, Buonopane has provided tools and mitigation advice that developers can use to secure their applications.

Related Reading: Hackers Can Exploit Roundcube Flaw by Sending an Email

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.