A Critical Flaw Found on PHPMailer that can put Millions of Websites at Risk




In this age of cyber technology, we are doing almost everything from our home. Just by a single press of the keyboard button, we are getting our valuable job done. However, there are some threats arises. Cyber intruders are taking chances to infiltrate our private systems or devices. They are making much malware that can capture the data of an entire business organization. Therefore, malware risk is unavoidable.

In this article, you will get to know about a new flaw on PHPMailer. PHPMailer is one of the well-known PHP email sending libraries. This recent hole on PHPMailer is one kind of remote code execution vulnerability. This vulnerability can soften the whole security wall of a website. The flaw on PHPMailer was first found by a security researcher named Dawid Golunski.

The recent version of PHPMailer 5.2.18 has this remote code vulnerability, according to Dawid. An initial bug fix was included on the latest version of PHPMailer. But still, there was some problems. The patch remained incomplete. Many content management systems (CMS) like WordPress, Joomla, and Drupal, are using PHPMailer library directly or indirectly. So, the current flaw can cause serious hard to those websites based on those CMS.

However, the impact can vary from websites to websites. For example, Joomla’s security team has decided that their JMail class that relies on PHPMailer, has additional validations that can exploit the vulnerability. For this reason, PHPMailer won’t cause any greater harm on Joomla.

So, how the flaw puts an effect on the victim? Well, it is only caused when there are insufficient validations on senders email input. It allows the attackers to inject shell command that can be executed on a web server in the context of Sendmail program. But it only happens when there is a presence of a web form that uses PHPMailer to send emails.

What Experts are saying?

The security team of Joomla recently quoted, “All places in the core Joomla API which send mail use the sender address set in the global configuration and does not allow for user input to be set elsewhere. However, extensions which bundle a separate version of PHPMailer or do not use the Joomla API to send email may be vulnerable to this issue.”

On the other hand, WordPress team says, their WP_Mail function doesn’t have any bigger effect on their core code because they do not use the PHPMailer feature. Before the release of WordPress 4.7.1, lead developer of WordPress Dion Hulse said, the newer WordPress version will have the mitigation of such problematic issues. He also said, “We’re committed to only secure shipping libraries with WordPress, regardless of whether we use the feature or not.”

Drupal team says, “Given the extreme criticality of this issue and the timing of its release we are issuing a Public Service Announcement to alert potentially affected Drupal site maintainers.” 

As you can see, the recent PHPMailer flaw can still put millions of websites at risk. So, it’s on you to be super careful. And how can you be super careful by yourself? You can follow the recommended cyber security tips and internet security tips! Hopefully, the article helps you. To know more upcoming security information, stay tuned.