Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
PHP Security Bug Communications Network Networking Privacy Software The Internet Technology

Millions of Websites Vulnerable Due To Security Bug In Popular PHP Script (bleepingcomputer.com) 104

An anonymous reader writes from a report via BleepingComputer: A security flaw discovered in a common PHP class allows knowledgeable attackers to execute code on a website that uses a vulnerable version of the script, which in turn can allow an attacker to take control over the underlying server. The vulnerable library is PHPMailer, a PHP script that allows developers to automate the task of sending emails using PHP code, also included with WordPress, Drupal, Joomla, and more. The vulnerability was fixed on Christmas with the release of PHPMailer version 5.2.18. Nevertheless, despite the presence of a patched version, it will take some time for the security update to propagate. Judging by past incidents, millions of sites will never be updated, leaving a large chunk of the Internet open to attacks. Even though the security researcher who discovered the flaw didn't publish any in-depth details about his findings, someone reverse-engineered the PHPMailer patch and published their own exploit code online, allowing others to automate attacks using this flaw, which is largely still unpatched due to the holiday season.
This discussion has been archived. No new comments can be posted.

Millions of Websites Vulnerable Due To Security Bug In Popular PHP Script

Comments Filter:
  • DUUUUUUPE (Score:4, Funny)

    by Anonymous Coward on Tuesday December 27, 2016 @06:56PM (#53562995)

    I've been seeing this same headline or a paraphrasing of it for OVER A DECADE. Please stop with the duplicates!

  • by Anonymous Coward

    Swiftmailer, another popular lib, is also vulnerable.

    https://github.com/swiftmailer/swiftmailer/issues/844

    Looks like the core issue is with php's mail() function:

    > ... due to 'mail() in PHP already escapes this argument.' However that's not the
    > case - PHP passes the parameters through escapeshellcmd() but that doesn't
    > prevent the appending of additional arguments, which is the issue here.

    • by vernonB ( 636207 )
      do I correctly understand that with either PHPMailer or SwiftMailer, if you are using SMTP for your transport rather than PHP's native mail(), you are not vulnerable?
  • by Anonymous Coward

    i write a lot of my own shit and use external stuff as little as possible :-) ...even in PHP

    • by Anonymous Coward

      Right on, me too.

      - The PHPmailer developer.

  • by Anonymous Coward

    Perhaps this is only the beginning of the start of the self-aware wordpress botnet; but would explain the regular hacking of wordpress sites; that will probably only continue so long as people rely on other peoples' PHP code. Thats not to say that other languages aren't subject; but php is probably the worst because there is no precedence for code quality or coding standards that releases (or even most of the community) follow. Is php functional? Object oriented? Both? Its neither; I would describe it as pu

    • but would explain the regular hacking of wordpress sites

      It's got nothing to do with stuff like this and unless a popular WP plugin is found to be vulnerable to PHPMailer + param injection (unlikely in my opinion) there won't be much damage. Wordpress is vulnerable in general because it's easy to scan huge lists of websites for exploitable unpatched plugins, and because admins don't keep up to date. If a node.js platform ever becomes as popular as WP you can bet it will have the same issues.

  • Let the "PHP is crap" comments roll!

    • Let the "PHP is crap" comments roll!

      Yeah, I'm sick of the losers who are busy chasing the new shiny and don't say a word when someone finds a vulnerability in their super special language.

      The party line is something like this: Naturally it's totally impossible to write insecure code in any other language, and no other language (or library for any other language) has ever had an exploitable bug, ever. It's all PHP's fault, of course!

      All I can say is that PHP (the LAMP stack, really) has made me a boatload of money over the years. Yes, it has b

    • by Tablizer ( 95088 )

      Prove Mail.dot.net or mail.java or mail.python is any safer over all.

  • by Falc0n ( 618777 ) <[moc.smetsysorcimedaj] [ta] [yrrepaj]> on Tuesday December 27, 2016 @09:42PM (#53563777) Homepage
    If you are using Drupal, please read this PSA: https://www.drupal.org/psa-2016-004 [drupal.org]

    Most sites needing extended mailing functionality probably use the SMTP contrib module [drupal.org], fortunately they too are not affected by this.

    However, if you are one of the 11,000 (or so) sites reported to be using phpmailer module (and the associated library), you should make sure the library is updated. You can see if you're vulnerable by looking in the sites/all/libraries or sites/default/libraries folders to see if you're using the phpmailer 3rd party library.
    • Any word on Wordpress? I ran the exploit and it worked on one of my sites so I took the unprecedented step of literally disabling all my WP sites.

      • by Falc0n ( 618777 )
        Unfortunately Wordpress bundles this library within its core product. So yes, it looks like all Wordpress sites have vulnerable code. However, I'm not sure how much the core mailer is used within wordpress, or if its just a feature that is turned on for some sites.
      • by colfer ( 619105 )

        WP itself is not affected, they say. Plugins and themes of course are the wild card, if they email without using the WP wrappers. https://core.trac.wordpress.or... [wordpress.org]

  • by generic_screenname ( 2927777 ) on Wednesday December 28, 2016 @04:32AM (#53564727)
    Use a third party service and call their API. Done.
  • As always, Slashdot.org is the best site to check while drinking my first morning cup of coffee at work. After reading this, I was able to go check our Intranet and external websites for my company to verify that this does not effect us. Thank you so much!

Know Thy User.

Working...