PHPMailer is a widely deployed utility class used in PHP application to handle emails sent through sendmail, PHP mailto() or SMTP. It is used in PHP applications such as WordPress, Mantis, WebCalendar, Group-Office and Joomla. The last official release happened on July 11, 2005.

If you have configured PHPMailer to use sendmail it has a remote command execution vulnerability due to a lack of input validation. sendmail is queried through the popen function which is called with a string constructed from non-escaped user input.

Line 393 in the SendmailSend function in class.phpmailer.php has the vulnerable code. If the Sender property is set by the initiating script it is possible to execute arbitrary commands.

if ($this->Sender != "")
    $sendmail = sprintf("%s -oi -f %s -t", $this->Sendmail, $this->Sender);
    $sendmail = sprintf("%s -oi -t", $this->Sendmail);

if(!@$mail = popen($sendmail, "w"))

The Sender property is most typically set in the host application by reading the value of the e-mail field or comment forms, which is where most attack vectors will be found.

The solution of course is to properly escape the input with the escapeshellarg() or escapeshellcmd() functions.

Alternatively, you can enable the PHP feature safe_mode, though many PHP applications such as the TinyMCE spellchecker in WordPress will break as a result of this. The safe_mode documentation comes with a warning of its own:

The PHP safe mode is an attempt to solve the shared-server security problem. It is architecturally incorrect to try to solve this problem at the PHP level, but since the alternatives at the web server and OS levels aren’t very realistic, many people, especially ISP’s, use safe mode for now.

I have notified PHPMailer about this on their SourceForge bug tracker, see issue 1734811 :)