FortiGuard Labs Threat Research

PHPMailer Powered – Use It, But Also Remember to Update It

By Tien Phan | February 16, 2017

At the end of last year, a critical vulnerability in PHPMailer that affected millions of websites – CVE-2016-10033 -  was discovered by Polish security researcher Dawid Golunski. This vulnerability allows an attacker to compromise the target’s web application by executing remote code on the vulnerable web server.

There are numerous open source web applications that use PHPMailer as their main library for sending emails, including WordPress, Joomla, Yii, SugarCRM…

More than a month after PHPMailer released a patch for this critical vulnerability we compiled this short research, and the result may surprise you. As you will see, there are still a lot of web open source projects that are still using the unpatched (exploitable) PHPMailer library. 
We based our research on the top PHP open source web applications list that is maintained on GitHub.

The upper class PHP projects

First of all, we took a look at around 900 PHP projects with more than 500 stars (★). In this set, 27 projects were using PHPMailer for sending email.

Figure 1 Project using PHPMailer

Figure 1 Project using PHPMailer

While there are not a lot of PHP projects using PHPMailer, we were surprised to learn that nearly 40% of 500★ projects using PHPMailer forgot to update the vulnerable library.

Figure 2 500★ PHPMailer projects

Figure 2 500 PHPMailer projects

From 100 to 500 stars PHP projects

When checking projects with fewer stars than the popular 500★ projects described above, the number using PHPMailer in their core remained the same, at about 4% of the total

Figure 3 100-500★ Project using PHPMailer

Figure 3 100-500 Project using PHPMailer

However, the number of PHPMailer powered projects in the 100-500★ group found to be using the vulnerable, unpatched version of the software more than doubled to over 65%, as compared to the 500★ projects.

Figure 4 100-500★ PHPMailer projects

Figure 4 100-500 PHPMailer projects


Unfortunately, these results are fairly consistent with other disclosed vulnerabilities that have patches available. In spite on constant warnings, developers and organizations often fail to update vulnerable products in a timely manner. In this case, it’s been more than a month since LegalHacker provided a detailed report on this PHPMailer vulnerability and a patch was made available. And yet, based on our findings, there are still a lot of developers embedding outdated and vulnerable versions of PHPMailer into their products, which can directly lead to their users being compromised.

Once again, we highly recommended to everyone that they update PHPMailer library to the latest version as soon as possible, establish a routine patching protocol, and be wary in the future.

Fortinet has released IPS signature PHP.App.Email.Arguments.Parsing.Remote.Code.Execution to detect and address the PHPMailer vulnerability.

-=FortiGuard Lion Team=-


Sign up for weekly Fortinet FortiGuard Labs Threat Intelligence Briefs and stay on top of the newest emerging threats.