CVE-2017-15806 – Zeta Components Mail 1.8.1 - Remote Code Execution

https://notcve.org/view.php?id=CVE-2017-15806

The send function in the ezcMailMtaTransport class in Zeta Components Mail before 1.8.2 does not properly restrict the set of characters used in the ezcMail returnPath property, which might allow remote attackers to execute arbitrary code via a crafted email address, as demonstrated by one containing "-X/path/to/wwwroot/file.php." La función send en la clase ezcMailMtaTransport en Zeta Components Mail en versiones anteriores a la 1.8.2 no restringe correctamente el conjunto de caracteres empleados en la propiedad de ezcMail returnPath, lo que podría permitir que atacantes remotos ejecuten código arbitrario mediante una dirección de correo electrónico manipulada, tal y como demuestra una que contenga "-X/path/to/wwwroot/file.php". • https://www.exploit-db.com/exploits/43155 http://www.securityfocus.com/bid/101866 https://github.com/zetacomponents/Mail/issues/58 https://github.com/zetacomponents/Mail/releases/tag/1.8.2 https://kay-malwarebenchmark.github.io/blog/cve-2017-15806-critical-rce-vulnerability https://kay-malwarebenchmark.github.io/blog/cve-2017-15806-yuan-cheng-dai-ma-zhi-xing-lou-dong • CWE-94: Improper Control of Generation of Code ('Code Injection') •