PHPMailer < 5.2.20


Verified User
A(n) (couple of) exploit(s) have been discovered in PHPmailer, which is used by many CMS/websites.

Initial report which is patched:
New CVE since initial patch is still vulnerable:
Explaination for dummies:

I am not sure how vulnerable a DirectAdmin system is, as Sendmail is being linked to Exim. Are we safe?*
*ofcourse PHPmailer must be updated, but it will be the difference in calling all affected website owners or sending them an email and give them a week to update.


Verified User
According the exploit description:
An attacker could pass the -X parameter of sendmail to write out a log file with arbitrary PHP code.
Exim command line docs:
-X <logfile>
This option is interpreted by Sendmail to cause debug information to be sent to the named file. It is ignored by Exim.
As far as i understand, this specific exploit (-X parameter) can not be abused on servers with Exim.

However, other parameters can/may be abused so a patch for PHPMailer is probably still necessary.