Originally discovered by Dawid Golunski of Legal Hackers, the trio of mailing solutions: Zend Mail, SwiftMailer and PHPMailer has revealed the same critical security vulnerability where a potential attacker could remotely take control over your web server through the use of standard features like contact form, reset password, login/register, newsletter subscription and other forms present on your website that are using email sending feature with mentioned components.
Common Magento Security Issue – Mailing Vulnerabilities
If it happens that you are using mentioned version of Zend Framework, PHPMailer or SwiftMailer then you are vulnerable to an attack once malicious crafted input is passed to setFrom() function. In short, if someone crafts an email address like this : “Haxor ” -Param1 -Param2″@test.com ( injecting an extra sequence of ” after the first argument ) it will cause Sendmail to execute with named parameters.
Arg no. 0 == [/usr/sbin/sendmail]
Arg no. 1 == [-t]
Arg no. 2 == [-i]
Arg no. 3 == [-fAttacker]
Arg no. 4 == [-Param1]
Arg no. 5 == [-Param2″@test.com]
Which, as can be seen above, would inject additional parameters of 4 & 5 to Sendmail.
Deep under the hood, we are hitting PHP’s mail() function by passing it the 5th parameter.
parameters — Optional. Specifies an additional parameter to the sendmail program (the one defined in the sendmail_path configuration setting). (i.e. this can be used to set the envelope sender address when using sendmail with the -f sendmail option)
Here is an actual PHP code example which would write message body into file /var/www/cache/phpcode.php:
$email_from = '"attacker" -oQ/tmp/ -X/var/www/cache/phpcode.php some"@email.com'; $msg_body = "<?php phpinfo(); ?>";
Check Security Advisory: ZF2016–04 for more details.
Proof of Concept:
Affected Component Versions
Following are the vulnerable versions of each component.
Zend Framework 2:
- Zend Framework < 2.4.11 Remote Code Execution (CVE-2016-10034)
- zend-mail < 2.4.11
- zend-mail < 2.7.2
- PHPMailer < 5.2.18
- SwiftMailer <= 5.4.5-DEV
Magento Security Issue: Mailing Vulnerability Temporary Solution and Tradeoff
While none of Magentos are built on Zend Framework they are still utilizing different parts of ZF1 and ZF2 and by no surprise, both are using zend-mail to send emails.
The very first thing that is not clear is whether you need to set “Set Return-Path” to “No” if your store has it’s value set to “Specified”, however, at the same time it is advised to set this setting to “No” regardless of transport agent used.
In short, “Set Return-Path: Yes” is the only way user input can be used, so you are safe with return-path option set to “Specified”.
From there it also seems that Magento team went with lesser of two evils principle because setting “Set Return-Path” to “No” may cause you a lot of different problems including: miss of bounced undeliverable emails and even getting caught in email spam filters.
Fewer Problems with Magento 2 Security
You are completely safe with Magento 2 as the setting is not used anywhere in the code at the moment.
P.S. If you are not sure which email agent is used, most likely it’s Sendmail because it’s usually default email agent. Otherwise, check with your system administrators.
Keep in mind that in case of Magento “fix” by disabling “return-path” header may get you into even more trouble.
Worried about your Magento security status and unsure how to improve it? You’ve come to the right place! Scandiweb is the most certified Magento agency in the world ensuring Magento technical support with more than a hundred experienced coders and more than a decade of experience under its belt.
We’re here to help, so drop us a line at firstname.lastname@example.org or check out our Magento Security and Health Monitoring Service – MageBee.