CVE-2021-3603
📋 TL;DR
PHPMailer versions 6.4.1 and earlier contain a function name collision vulnerability in the email address validator. If a malicious function named 'php' exists in the global namespace, it will be executed instead of the built-in validator when validating email addresses. This affects any application using PHPMailer with the default validator configuration.
💻 Affected Systems
- PHPMailer
📦 What is this software?
Fedora by Fedoraproject
Fedora by Fedoraproject
Phpmailer by Phpmailer Project
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution if an attacker can inject a malicious 'php' function into the global namespace through other vulnerabilities, potentially leading to complete system compromise.
Likely Case
Limited impact requiring another vulnerability to inject malicious code first; most commonly would enable privilege escalation or persistence mechanisms.
If Mitigated
No impact if proper input validation and namespace isolation are implemented, or if the application doesn't use the vulnerable validator.
🎯 Exploit Status
Exploitation requires first injecting a malicious 'php' function into the global namespace through another vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.5.0 and later
Vendor Advisory: https://github.com/PHPMailer/PHPMailer/commit/45f3c18dc6a2de1cb1bf49b9b249a9ee36a5f7f3
Restart Required: No
Instructions:
1. Update PHPMailer to version 6.5.0 or later using composer: 'composer require phpmailer/phpmailer:^6.5.0' 2. Replace the PHPMailer directory with the updated version if not using composer. 3. Test email functionality.
🔧 Temporary Workarounds
Change validator method
allSet the validator to a non-'php' method before calling validateAddress()
$mailer->validator = 'regex'; // or 'auto', 'pcre', 'html5'
Namespace isolation
allEnsure no untrusted code can define functions in the global namespace
🧯 If You Can't Patch
- Implement strict input validation and sanitization for all user inputs
- Use web application firewall rules to block suspicious function definitions
🔍 How to Verify
Check if Vulnerable:
Check PHPMailer version in composer.json or the PHPMailer class file headerCheck Version:
grep -r 'PHPMailer' composer.lock 2>/dev/null || grep 'VERSION' vendor/phpmailer/phpmailer/src/PHPMailer.php 2>/dev/null || echo 'Check manually'Verify Fix Applied:
Verify PHPMailer version is 6.5.0 or later and test email validation functionality📡 Detection & Monitoring
Log Indicators:
- Unexpected function calls to 'php' in application logs
- Errors in email validation processes
Network Indicators:
- Unusual outbound connections following email validation attempts
SIEM Query:
source="application_logs" AND ("php function call" OR "validateAddress error")🔗 References
- https://github.com/PHPMailer/PHPMailer/commit/45f3c18dc6a2de1cb1bf49b9b249a9ee36a5f7f3
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3YRMWGA4VTMXFB22KICMB7YMFZNFV3EJ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FJYSOFCUBS67J3TKR74SD3C454N7VTYM/
- https://www.huntr.dev/bounties/1-PHPMailer/PHPMailer/
- https://github.com/PHPMailer/PHPMailer/commit/45f3c18dc6a2de1cb1bf49b9b249a9ee36a5f7f3
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3YRMWGA4VTMXFB22KICMB7YMFZNFV3EJ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FJYSOFCUBS67J3TKR74SD3C454N7VTYM/
- https://www.huntr.dev/bounties/1-PHPMailer/PHPMailer/
