The disclosures can be found here:
- CVE-2016-10033 - PHPMailer < 5.2.18 Remote Code Execution
- CVE-2016-10045 - PHPMailer < 5.2.20 Remote Code Execution (0day Patch Bypass/exploit)
You can read the response of the programmers of PHPMailer about it in the PHPMailer Wiki article "About the CVE 2016 10033 and CVE 2016 10045 vulnerabilities".
In order to prevent me from having to write all my customers to have them update the library and hope that they are going to do so, I wrote a simple shell script that updates the PHPMailer core files (
class.smtp.php) that are found in the directories that you supply.
The usage output of the script
phpmailer-upgrade.sh v1.0.0 - Copyright (c) 2016 Derks.IT / Jeroen Derks Upgrades PHPMailer files automatically to last version usage: upgrade-phpmailer.sh [-d] [-n] [-v] [-x] [-B branch] [-C checkout] [-D backup ] [-K] [-M extension] [-N] [-O] directory [ directory [...] ] -d Enable debug output -n Dry-run mode -v Enable verbose output -x Enable shell debug output -B PHPMailer GitHub branch name to use (default: master) -C Directory containing cloned repository with branch to use -D Backup directory to use (default: /phpmailer.backup) -K Keep temporary directory -M Rename original files using supplied extension (default: .BACKUP) -N Do not create backup directory -O Compare only, do not actually upgrade
If you have any improvements or suggestions, please leave a message below or create a pull request.