Code Injection in causefx/organizr

Valid

Reported on

Jul 23rd 2021


✍️ Description

The "version": "v6.4.1", is vulnerable to code injection, Affected versions of this package are vulnerable to Arbitrary Code Execution. If the $lang_path parameter is passed unfiltered from user input, it can be set to a UNC path, and if an attacker is also able to persuade the server to load a file from that UNC path, a script file under their control may be executed. This vulnerability only applies to systems that resolve UNC paths, typically only Microsoft Windows. PHPMailer 6.5.0 mitigates this by no longer treating translation files as PHP code, but by parsing their text content directly. This approach avoids the possibility of executing unknown code while retaining backward compatibility.

🕵️‍♂️ Proof of Concept

// PoC.js
 {
            "name": "phpmailer/phpmailer",
            "version": "v6.4.1",
            "source":
 {

# 💥 Impact
PHPMailer before 6.5.0 on Windows allows remote code execution if lang_path is untrusted data and has a UNC pathname.
We have contacted a member of the causefx/organizr team and are waiting to hear back 5 months ago
causefx validated this vulnerability 4 months ago
Raptor has been awarded the disclosure bounty
The fix bounty is now up for grabs
causefx confirmed that a fix has been merged on 686e9e 4 months ago
causefx has been awarded the fix bounty