CVE-2023-35169
📋 TL;DR
CVE-2023-35169 is a critical directory traversal vulnerability in PHP-IMAP library that allows unauthenticated attackers to achieve remote code execution. Any application using affected versions of webklex/php-imap or webklex/laravel-imap that stores email attachments without proper filename sanitization is vulnerable. Attackers can upload malicious files to arbitrary locations where the web server has write permissions.
💻 Affected Systems
- webklex/php-imap
- webklex/laravel-imap
📦 What is this software?
Php Imap by Webklex
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise with attacker gaining shell access, installing backdoors, stealing data, and pivoting to other systems.
Likely Case
Webshell deployment leading to data exfiltration, cryptocurrency mining, or participation in botnets.
If Mitigated
Limited file overwrite capability without code execution if proper file permissions and directory restrictions are in place.
🎯 Exploit Status
Exploitation requires sending a specially crafted email to a monitored mailbox and the application processing attachments with vulnerable code.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.3.0
Vendor Advisory: https://github.com/Webklex/php-imap/security/advisories/GHSA-47p7-xfcc-4pv9
Restart Required: No
Instructions:
1. Update composer.json to require "webklex/php-imap": "^5.3.0"
2. Run composer update webklex/php-imap
3. Test email attachment functionality
🔧 Temporary Workarounds
Manual filename sanitization
allAlways pass sanitized filename parameter to Attachment::save() method, stripping directory traversal sequences and validating file extensions.
Restrict attachment storage directory
linuxConfigure web server to deny execution of PHP files in attachment storage directories and set proper file permissions.
chmod 644 /path/to/attachments/*
find /path/to/attachments -name '*.php' -delete
🧯 If You Can't Patch
- Implement strict input validation for attachment filenames, rejecting any containing '../' or similar traversal sequences.
- Run PHP applications with minimal file system write permissions and isolate attachment storage to non-web-accessible directories.
🔍 How to Verify
Check if Vulnerable:
Check composer.lock or vendor/webklex/php-imap/composer.json for version <5.3.0 and review code for Attachment::save() calls without sanitized filename parameter.Check Version:
composer show webklex/php-imap | grep versionsVerify Fix Applied:
Confirm version 5.3.0 or higher is installed and test attachment saving with malicious filenames containing '../' sequences.📡 Detection & Monitoring
Log Indicators:
- Unusual file creation in web directories
- PHP file writes in attachment directories
- Email processing errors with malformed filenames
Network Indicators:
- Inbound emails with attachment filenames containing directory traversal sequences
- Outbound connections from web server to suspicious IPs
SIEM Query:
source="web_logs" AND (filename="*../*" OR path="*../*") AND action="save"🔗 References
- https://github.com/Webklex/php-imap/blob/5.2.0/src/Attachment.php#L251-L255
- https://github.com/Webklex/php-imap/blob/5.2.0/src/Attachment.php#L252
- https://github.com/Webklex/php-imap/pull/414
- https://github.com/Webklex/php-imap/releases/tag/5.3.0
- https://github.com/Webklex/php-imap/security/advisories/GHSA-47p7-xfcc-4pv9
- https://github.com/Webklex/php-imap/blob/5.2.0/src/Attachment.php#L251-L255
- https://github.com/Webklex/php-imap/blob/5.2.0/src/Attachment.php#L252
- https://github.com/Webklex/php-imap/pull/414
- https://github.com/Webklex/php-imap/releases/tag/5.3.0
- https://github.com/Webklex/php-imap/security/advisories/GHSA-47p7-xfcc-4pv9
