Submission + - Millions of Websites Vulnerable Due to Security Bug in Popular PHP Script (bleepingcomputer.com)
An anonymous reader writes: A security flaw discovered in a common PHP class allows knowledgeable attackers to execute code on a website that uses a vulnerable version of the script, which in turn can allow an attacker to take control over the underlying server. The vulnerable library is PHPMailer, a PHP script that allows developers to automate the task of sending emails using PHP code, also included with WordPress, Drupal, Joomla, and more.
The vulnerability was fixed on Christmas with the release of PHPMailer 5.2.18. Nevertheless, despite the presence of a patched version, it will take some time for the security update to propagate. Judging by past incidents, millions of sites will never be updated, leaving a large chunk of the Internet open to attacks.
Even if the security researcher who discovered the flaw didn't publish any in-depth details about his findings, someone reverse-engineered the PHPMailer patch, and published exploit code online, allowing others to automate attacks using this flaw, largely still unpatched due to the holiday season.
The vulnerability was fixed on Christmas with the release of PHPMailer 5.2.18. Nevertheless, despite the presence of a patched version, it will take some time for the security update to propagate. Judging by past incidents, millions of sites will never be updated, leaving a large chunk of the Internet open to attacks.
Even if the security researcher who discovered the flaw didn't publish any in-depth details about his findings, someone reverse-engineered the PHPMailer patch, and published exploit code online, allowing others to automate attacks using this flaw, largely still unpatched due to the holiday season.
Millions of Websites Vulnerable Due to Security Bug in Popular PHP Script More Login
Millions of Websites Vulnerable Due to Security Bug in Popular PHP Script
Slashdot Top Deals