From 2055bf8f6579fa81e0bdac4dcf7819cfcabb2865 Mon Sep 17 00:00:00 2001 From: William Vu Date: Mon, 15 May 2017 14:28:07 -0500 Subject: [PATCH] Add note about PHPMailer being bundled --- .../modules/exploit/unix/webapp/wp_phpmailer_host_header.md | 3 ++- modules/exploits/unix/webapp/wp_phpmailer_host_header.rb | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/documentation/modules/exploit/unix/webapp/wp_phpmailer_host_header.md b/documentation/modules/exploit/unix/webapp/wp_phpmailer_host_header.md index e28b6ce89d..f0b7a22eb6 100644 --- a/documentation/modules/exploit/unix/webapp/wp_phpmailer_host_header.md +++ b/documentation/modules/exploit/unix/webapp/wp_phpmailer_host_header.md @@ -1,7 +1,8 @@ ## Intro This vuln has some caveats: you need approximately WordPress 4.6 with -Exim for the `sendmail(8)` command. +Exim for the `sendmail(8)` command. You do not need to install +PHPMailer, as it is included as part of the WordPress install. Thanks to WP's awesome practice of backporting the heck out of all their patches, we need to use a Git clone and check out the vuln release. diff --git a/modules/exploits/unix/webapp/wp_phpmailer_host_header.rb b/modules/exploits/unix/webapp/wp_phpmailer_host_header.rb index ed012dbf98..f6a4a90a23 100644 --- a/modules/exploits/unix/webapp/wp_phpmailer_host_header.rb +++ b/modules/exploits/unix/webapp/wp_phpmailer_host_header.rb @@ -15,7 +15,8 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'WordPress PHPMailer Host Header Command Injection', 'Description' => %q{ This module exploits a command injection vulnerability in WordPress - version 4.6 with Exim as an MTA via a spoofed Host header to PHPMailer. + version 4.6 with Exim as an MTA via a spoofed Host header to PHPMailer, + a mail-sending library that is bundled with WordPress. A valid WordPress username is required to exploit the vulnerability. Additionally, due to the altered Host header, exploitation is limited to