Evaluating a PHPMailer Vulnerability

A report was submitted to the Mantis team this week describing a vulnerability in the PHPMailer class. This class is used by Mantis to send notification emails for issue updates.

The exploit takes advantage of a hole in how PHP implements the internal interface to the sendmail MTA. The setting for the sender address can be used to gain access to system resources. This exploit is described in “PHPMailer 0day remote command execution” and “CVE-2007-3215“.

After reviewing the Mantis code, we determined that this vulnerability does not affect the operation of the tool. We read the sender address from configuration data. To use this exploit, someone would require administrator level access and/or direct access to the database. The probability of exploit is very low. A small patch will be added in the next release to prevent the problem completely.

In general, we recommend using the SMTP mode, rather than sendmail, rather than the local sendmail implementation. Most platforms, (Windows, especially), have problems with the internal PHP implementation of the sendmail. The PHPMailer implementation of SMTP is more robust and slightly faster.

This post was prepared by thraxisp.

This entry was posted in MantisBT. Bookmark the permalink.

One Response to Evaluating a PHPMailer Vulnerability

  1. Adul says:

    Ever thought about using http://www.swiftmailer.org/. Its kept up to date works really well and IMHO is better than phpmailer.