Sergey Nivens - Fotolia
A patch for a serious vulnerability in the widely used open source PHPMailer library needed its own patch to prevent attackers from bypassing the mitigation and exploiting the flaw.
The PHPMailer library is incorporated in many popular open source projects, including WordPress, Joomla and Drupal, that power tens of millions of websites. The flaw potentially enables remote code execution attacks that could compromise targeted PHP web applications -- and the first patch for the flaw was not sufficient to stamp it out.
"Unhelpfully, an exploit for [the vulnerability] was posted on an open mailing list the same day, making this a [zero-day] vulnerability," noted the PHPMailer project, writing in a blog post detailing the timeline of the discovery and patching of the flaw.
Independent security researcher Dawid Golunski initially reported the vulnerability to the PHPMailer project on Dec. 16; the flaw was assigned to CVE-2016-10033, according to PHPMailer.
The vulnerability occurs when the "From:" address of an email can be set from user input and the PHP sender property has not been set. The attack occurs when an individual crafts an email address that includes an executable shell command in the "From:" header.
PHPMailer's initial patch prevents attackers from crafting a "From:" address that includes a shell command using the PHP function escapeshellarg(). That function is designed to allow a string to be used as an argument to a shell command.
However, after the patch was released, Golunski discovered another function, escapeshellcmd(), which can be used to bypass escapeshellarg(). "As a result, it is possible to inject an extra quote that does not get properly escaped and break out of the escapeshellarg() protection" applied by the first patch, Golunski wrote in his advisory attached to the second vulnerability, CVE-2016-10045. Both Drupal and WordPress consider this a critical vulnerability and issued advisories on it, despite the fact the flaw is not in their code.
The PHPMailer project expressed concern over the existence of the proof-of-concept (POC) exploit. But Jacob Williams, founder of consulting firm Rendition InfoSec LLC in Augusta, Ga., suggested it's not yet time to panic, noting in a blog post "the default POC script (which every skiddie out there will use without modification) uses the string 'zXJpHSq4mNy35tHe' as a content boundary. You can use this for your [intrusion detection system] to find attackers on the wire using the default POC script."
Find out more about the issues around responsible disclosure raised by the ImageTragick vulnerability report
Learn more about how to take an inventory and secure open source software components
Read about best practices for patch management