Is PHPMailer Secure

Question

I know this probably isn\'t an easy question but I\'m developing several webforms and want a PHP library that I can use to send the mail and have it automatically sanitize the d

Answer 1

As of now there is a highly recommended patch for vulnerabilities for Versions before 5.2.18 Download here https://github.com/PHPMailer/PHPMailer

The quote from Hacker News (http://thehackernews.com/2016/12/phpmailer-security.html) gives a brief summary:

Discovered by Polish security researcher Dawid Golunski of Legal Hackers, the critical vulnerability (CVE-2016-10033) allows an attacker to remotely execute arbitrary code in the context of the web server and compromise the target web application.

"To exploit the vulnerability an attacker could target common website components such as contact/feedback forms, registration forms, password email resets and others that send out emails with the help of a vulnerable version of the PHPMailer class," Golunski writes in the advisory published today.

The technical details will be posted here: https://legalhackers.com/papers/Pwning-PHP-mail-func-For-Fun-And-RCE-New-Exploit-Techniques-Vectors.html

Answer 2

PHPMailer doesn't create/use any SQL itself, nor does it have anything to do with javascript, so it's secure on those fronts. It is often used alongside code that does both, but that's not PHPMailer's concern.

It applies filtering to headers in order to avoid header injection attacks, and (as far as I'm aware!) builds headers correctly in order to escape and encode according to RFCs - generally PHPMailer favours strict technical compliance where practical. There is one open issue relating to line length compliance.

If run with PHP 5.6 using default settings, it verifies SSL/TLS certificates on secure connections. Earlier PHP versions don't do this by default, and you can disable it in PHP 5.6, though neither is recommended. There is an open issue relating to forcing this setting in earlier PHP versions.

All that said, of course PHPMailer (like any technical library) can be abused to send all kinds of nasty phishing, spam and malware, and the SMTP class can be used to try to confuse the hell out of mail servers, though it will try its hardest to ensure it does so with the utmost respect for the RFCs.