PHPMailer logo

A security flaw discovered in a common PHP script allows knowledgeable attackers to execute code on a website that uses a vulnerable version of the script, which in turn can allow an attacker to take control over the underlying server.

The vulnerable library is PHPMailer, a PHP script that allows developers to automate the task of sending emails using PHP code.

Across time, the library has grown in popularity and is currently included in hundreds of millions of websites on the Internet, along with some of the most popular PHP CMSs today, such as WordPress, Joomla, Drupal, SugarCRM, vTiger CRM, Mantis, XOOPS, Zikula, and more.

Patch released on Christmas Day

The security bug, tracked as CVE-2016-10033, was fixed on December 25 when the PHPMailer team released version 5.2.18 to address this issue.

Nevertheless, despite the presence of a patched version, it will take some time for the security update to propagate. Judging by past incidents, millions of sites will never be updated, leaving a large chunk of the Internet open to attacks.

According to Dawid Golunski, the Polish security researcher who discovered this flaw, all PHPMailer versions before the patched 5.2.18 version are vulnerable.

Exploit code already available online

The researcher understood that webmasters needed time to patch their systems, and in the vulnerability disclosure he published on his site, refused to post any in-depth details or exploit code.

In spite of Golunski's carefulness, this didn't stop others from exploring the differences between the patched and unpatched PHPMailer source code, reverse engineering the security update, identifying the flaw, and releasing their own exploit code, which is now available on GitHub and ExploitDB.

Projects like WordPress and Drupal are currently preparing security patches that update the PHPMailer library embedded in their code to newer versions.

Earlier this year, Golunski also discovered several security flaws in the MySQL database engine that also allowed attackers to take over affected servers.