Wednesday, December 28, 2016

PHPMailer vulnerability

I blogged yesterday about the release of the PHPMailer vulnerability CVE 2016-10033 and how it was unlikely to be exploited in a default release of Joomla.  Now there's a POC released, but I still haven't changed my position on this.

I'm sure that there are vulnerable applications out there. I also always recommend that people patch as soon as possible when patches are available (pending testing). But this one seems over hyped to me. Joomla! includes PHPMailer as a library, but doesn't use it in any way that allows for exploitation. SugarCRM uses PHPMailer, but it isn't immediately clear to me whether it is used in a way that allows the vulnerability to be triggered. Again, you should patch, but don't burn down the house to do it unless you know you are vulnerable.

As an aside, the default POC script (which every skiddie out there will use without modification) uses the string "zXJpHSq4mNy35tHe" as a content boundary. You can use this for your IDS to find attackers on the wire using the default POC script.

Most of this content was cross posted from my Peerlyst page.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.