|
|
|
|
|
|
by exratione
3455 days ago
|
|
|
Looks like recent versions of WordPress may or may not reject emails with the quoted name format of "bad stuff"@example.com. Might depend on your plugins. My experimentation produced varied results for my sites and testbeds. filter_var($email, FILTER_SANITIZE_EMAIL) works for this exploit, as it removes spaces and double quotes. The SMTP plugins I surveyed still use PHPMailer. You'd want to try something like: /**
* Block the PHPMailer vulnerability:
* https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html
*/
function example_wp_mail_filter($args) {
$new_wp_mail = array(
# Get rid of quotes in quoted emails: "bad stuff"@example.com. Should be
# sufficient sabotage.
'to' => preg_replace('[\'"]/u', "", $args['to']),
'subject' => $args['subject'],
'message' => $args['message'],
'headers' => $args['headers'],
'attachments' => $args['attachments'],
);
return $new_wp_mail;
}
add_filter('wp_mail', 'example_wp_mail_filter');
|
|
|
(Also, if the SMTP plugin uses PhpMailer, but actually is configured to talk to SMTP, there is no mail() and the issue is moot)