Commentary Archive July 2007

Mantis: Evaluating a PHPMailer Vulnerability

A report was submitted to the Mantis team this week describing a vulnerability in the PHPMailer class. This class is used by Mantis to send notification emails for issue updates.

The exploit takes advantage of a hole in how PHP implements the internal interface to the sendmail MTA. The setting for the sender address can be used to gain access to system resources. This exploit is described in http://larholm.com/2007/06/11/phpmailer-0day-remote-execution/ and http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3215 .

After reviewing the Mantis code, we determined that this vulnerability does not affect the operation of the tool. We read the sender address from configuration data. To use this exploit, someone would require administrator level access and/or direct access to the database. The probability of exploit is very low. A small patch will be added in the next release to prevent the problem completely.

In general, we recommend using the SMTP mode, rather than sendmail, rather than the local sendmail implementation. Most platforms, (Windows, especially), have problems with the internal PHP implementation of the sendmail. The PHPMailer implementation of SMTP is more robust and slightly faster.

Copyright 2006, Logical Outcome Ltd.