CVE-2016-10033

NameCVE-2016-10033
DescriptionThe mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted Sender property.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-770-1, DSA-3750-1
Debian Bugs849365

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libphp-phpmailer (PTS)jessie, jessie (lts)5.2.9+dfsg-2+deb8u6fixed
stretch (security), stretch (lts), stretch5.2.14+dfsg-2.3+deb9u2fixed
buster6.0.6-0.1fixed
bullseye6.2.0-2fixed
bookworm6.6.3-1fixed
sid, trixie6.9.1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libphp-phpmailersourcewheezy5.1-1.2DLA-770-1
libphp-phpmailersourcejessie5.2.9+dfsg-2+deb8u2DSA-3750-1
libphp-phpmailersource(unstable)5.2.14+dfsg-2.1849365

Notes

https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html
Fixed by: https://github.com/PHPMailer/PHPMailer/commit/4835657cd639fbd09afd33307cef164edf807cdc#diff-ace81e501931d8763b49f2410cf3094dR1449
Fix potentially incomplete, cf https://www.openwall.com/lists/oss-security/2016/12/28/1
When updating libphp-phpmailer for CVE-2016-10033 make sure to apply the
complete patch to not make libphp-phpmailer affected by CVE-2016-10045.
https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html
Needs followup: https://github.com/PHPMailer/PHPMailer/commit/9743ff5c7ee16e8d49187bd2e11149afb9485eae
Another followup: https://github.com/PHPMailer/PHPMailer/commit/833c35fe39715c3d01934508987e97af1fbc1ba0
Search for package or bug name: Reporting problems