No details on what the actual issue was, but I think it's fixed in this commit[1]. Seems like the escapeshellargs addition is the important bit.<p><i>Sigh</i><p>It seems a bit... odd... to try and embargo/withhold information about a vulnerability when the fix is publicly available on their github for anybody to see.<p>1. <a href="https://github.com/PHPMailer/PHPMailer/commit/4835657cd639fbd09afd33307cef164edf807cdc" rel="nofollow">https://github.com/PHPMailer/PHPMailer/commit/4835657cd639fb...</a>
Seems to come from the From email field: <a href="https://github.com/PHPMailer/PHPMailer/compare/v5.2.17...v5.2.18" rel="nofollow">https://github.com/PHPMailer/PHPMailer/compare/v5.2.17...v5....</a><p>More details here: <a href="https://www.saotn.org/exploit-phps-mail-get-remote-code-execution/" rel="nofollow">https://www.saotn.org/exploit-phps-mail-get-remote-code-exec...</a><p>PHP mail doc: <a href="http://php.net/manual/en/function.mail.php" rel="nofollow">http://php.net/manual/en/function.mail.php</a><p>A function that allows to pass arbitrary flags to a command line, what could go wrong... :)<p><pre><code> mail('nobody@example.com', 'the subject', 'the message', null, '-fwebmaster@example.com');</code></pre>
In case anyone needs this:<p>A script for finding vulnerable versions of PHPMailer on a server:<p><a href="https://gist.github.com/cebe/d0f5631b432c520a2e6f6be8beddf116" rel="nofollow">https://gist.github.com/cebe/d0f5631b432c520a2e6f6be8beddf11...</a><p>Finds also really old versions like 2.0.4.