PHPMailer is a widely deployed utility class used in PHP application to handle emails sent through sendmail, PHP mailto() or SMTP. It is used in PHP applications such as WordPress, Mantis, WebCalendar, Group-Office and Joomla. The last official release happened on July 11, 2005.
If you have configured PHPMailer to use sendmail it has a remote command execution vulnerability due to a lack of input validation. sendmail is queried through the popen function which is called with a string constructed from non-escaped user input.
Line 393 in the SendmailSend function in class.phpmailer.php has the vulnerable code. If the Sender property is set by the initiating script it is possible to execute arbitrary commands.
if ($this->Sender != "")
$sendmail = sprintf("%s -oi -f %s -t", $this->Sendmail, $this->Sender);
else
$sendmail = sprintf("%s -oi -t", $this->Sendmail);
if(!@$mail = popen($sendmail, "w"))
The Sender property is most typically set in the host application by reading the value of the e-mail field or comment forms, which is where most attack vectors will be found.
The solution of course is to properly escape the input with the escapeshellarg() or escapeshellcmd() functions.
Alternatively, you can enable the PHP feature safe_mode, though many PHP applications such as the TinyMCE spellchecker in WordPress will break as a result of this. The safe_mode documentation comes with a warning of its own:
The PHP safe mode is an attempt to solve the shared-server security problem. It is architecturally incorrect to try to solve this problem at the PHP level, but since the alternatives at the web server and OS levels aren’t very realistic, many people, especially ISP’s, use safe mode for now.
I have notified PHPMailer about this on their SourceForge bug tracker, see issue 1734811 
A quick note:
The Symfony web PHP framework uses PHPMailer as its base emailer utility.
Swiftmailer doesn’t have this problem, and has a PHPMailer shim.
http://www.swiftmailer.org/
there is a Plugin for Symfony to use the Swift Mailer:
http://trac.symfony-project.com/trac/wiki/sfSwiftPlugin
[...] PHPMailer????????????????????????????????popen????????????????????????????????????????????fork??????????????WordPress??wp-includes/class-phpmailer.php????????????????????? [...]
[...] PHPMailer ?????sendmail????????????????????http://larholm.com/2007/06/11/phpmailer-0day-remote-execution/ [...]
[...] PHPMailer has a remote command execution vulnerability if you have configured it to use sendmail. You can find more information about this issue here: http://larholm.com/2007/06/11/phpmailer-0day-remote-execution/ [...]
[...] security updates By Thor Larholm On June 11 I published an input validation vulnerability in PHPMailer, CVE-2007-3215. Since then, a number of applications [...]
[...] The Symfony project has released the latest version of their framework - Symfony 1.0.5 - largely a security fix release to help head off some issues that came up with the phpmailer utility. I’ve just released symfony 1.0.5. If you use the symfony built-in phpmailer (and you do if you use the ->sendMail() method in your actions), you must upgrade to this release or apply the following patch: http://trac.symfony-project.com/trac/changeset/4380?format=diff&new=4380. PHPMailer has a remote command execution vulnerability if you have configured it to use sendmail. You can find more information about this issue here: http://larholm.com/2007/06/11/phpmailer-0day-remote-execution/ [...]
[...] PHPMailer 0day remote command execution, Thor Larholm’s security advisory [...]
[...] sender address can be used to gain access to system resources. This exploit is described in “PHPMailer 0day remote command execution” and [...]
[...] Mambo LaiThai Global 4.5.6 Release Notes (MamboXChange) PHPMailer 0day remote execution (Thor Larholm) Announcements: GLPI 0.68.3-2 bug fixes (GLPI) Knowledgeroot Knowledgebase Release [...]