Millions of websites vulnerable by a bug in mailformulieren
A vulnerability in e-mailformulieren on web sites enables hackers to enter their own code on the servers to perform.
The vulnerability makes use of weak security in PHPMailer, a script that many websites use contact forms. The problem was discovered by beveiligingsonderzoeker Dawid Golunski, according to who, about 9 million websites use the script.
PHPMailer checks according Golunski not or an e-mail address used in a form is correct. This allows, for example hackers, via a detour to their own code to run on the server of a site.
The leak is in the latest update for the mailscript according to the developers poem, but web sites should install this update before they are properly protected. Researcher Kevin Beaumont claims that the update the problem has not properly resolved. It is according to him a possible solution to bypass it and code again.
Large blogplatformen such as WordPress and Drupal use PHPMailer and have a warning sent to site administrators. Also Joomla makes use of the script.
The discoverer of the leak says that he at a later moment want to describe how the attack exactly can be carried out. He wants to web site administrators have the time to give the leak to be sealed.