Code Injection in causefx/organizr


Reported on

Jul 23rd 2021

✍️ Description

The "version": "v6.4.1", is vulnerable to code injection, Affected versions of this package are vulnerable to Arbitrary Code Execution. If the $lang_path parameter is passed unfiltered from user input, it can be set to a UNC path, and if an attacker is also able to persuade the server to load a file from that UNC path, a script file under their control may be executed. This vulnerability only applies to systems that resolve UNC paths, typically only Microsoft Windows. PHPMailer 6.5.0 mitigates this by no longer treating translation files as PHP code, but by parsing their text content directly. This approach avoids the possibility of executing unknown code while retaining backward compatibility.

🕵️‍♂️ Proof of Concept

// PoC.js
            "name": "phpmailer/phpmailer",
            "version": "v6.4.1",

# 💥 Impact
PHPMailer before 6.5.0 on Windows allows remote code execution if lang_path is untrusted data and has a UNC pathname.
We have contacted a member of the causefx/organizr team and are waiting to hear back a year ago
causefx validated this vulnerability a year ago
Raptor has been awarded the disclosure bounty
The fix bounty is now up for grabs
causefx marked this as fixed with commit 686e9e a year ago
causefx has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation