CVE-2016-9492
📋 TL;DR
This vulnerability allows attackers to upload PHP files with uncommon extensions to websites using PHP FormMail Generator, potentially leading to remote code execution. The generated code fails to block all PHP file variations, and while filenames get randomized, attackers can guess them. Anyone using PHP FormMail Generator code generated before December 17, 2016 is affected.
💻 Affected Systems
- PHP FormMail Generator
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise via remote code execution, allowing data theft, defacement, or malware deployment.
Likely Case
Webshell upload leading to unauthorized access, data exfiltration, or site defacement.
If Mitigated
Limited impact if proper file upload validation and web server security controls are implemented.
🎯 Exploit Status
Exploitation requires guessing randomized filenames, but automated tools can brute-force this.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Code generated on or after December 17, 2016
Vendor Advisory: https://www.kb.cert.org/vuls/id/608591
Restart Required: No
Instructions:
1. Regenerate all forms using PHP FormMail Generator version from December 17, 2016 or later. 2. Replace existing form.lib.php files with newly generated versions. 3. Remove any previously uploaded suspicious files from upload directories.
🔧 Temporary Workarounds
Manual file extension validation
allAdd comprehensive PHP file extension blocking to form.lib.php
Edit form.lib.php to add extensions like .php3, .php4, .php5, .phtml, .phpt to the dangerous extensions list
Web server file execution blocking
linuxConfigure web server to prevent execution of uploaded files
For Apache: Add 'php_flag engine off' to .htaccess in upload directory
For Nginx: Add 'location ~ \.(php|php3|php4|php5|phtml|phpt)$ { deny all; }' to upload directory config
🧯 If You Can't Patch
- Disable file upload functionality entirely in affected forms
- Implement web application firewall rules to block uploads of executable files
🔍 How to Verify
Check if Vulnerable:
Check form.lib.php file creation date and review the $dangerous_extensions array for missing PHP extensionsCheck Version:
grep -n "dangerous_extensions" form.lib.phpVerify Fix Applied:
Verify form.lib.php was regenerated after December 17, 2016 and contains comprehensive PHP extension blocking📡 Detection & Monitoring
Log Indicators:
- File upload attempts with uncommon PHP extensions
- Access to files with randomized names in upload directories
Network Indicators:
- POST requests to upload endpoints with PHP file content
- Subsequent requests to uploaded files with executable extensions
SIEM Query:
source="web_logs" (method="POST" AND uri="*upload*" AND (extension="php3" OR extension="php4" OR extension="php5" OR extension="phtml" OR extension="phpt"))