CVE-2020-36326 Overview
CVE-2020-36326 is an insecure deserialization vulnerability affecting PHPMailer versions 6.1.8 through 6.4.0. The vulnerability allows object injection through Phar Deserialization via the addAttachment method when a UNC pathname is supplied. This vulnerability is related to CVE-2018-19296 and emerged as an unintended consequence of a functionality fix in version 6.1.8 that addressed an issue where UNC pathnames were incorrectly treated as unreadable. The fix inadvertently removed security controls that previously blocked exploitation of the addAttachment function.
Critical Impact
Successful exploitation enables remote attackers to achieve arbitrary code execution through PHP object injection, potentially leading to complete system compromise of applications using vulnerable PHPMailer versions.
Affected Products
- PHPMailer versions 6.1.8 through 6.4.0
- WordPress (multiple versions bundling vulnerable PHPMailer)
- Applications and CMS platforms using PHPMailer for email functionality
Discovery Timeline
- 2021-04-28 - CVE-2020-36326 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2020-36326
Vulnerability Analysis
This object injection vulnerability (CWE-502) exploits PHP's Phar deserialization mechanism through the addAttachment method in PHPMailer. The vulnerability allows attackers to supply a malicious UNC pathname that triggers unsafe deserialization of Phar archive metadata, enabling arbitrary PHP object instantiation. This can lead to remote code execution when combined with existing PHP gadget chains in the application.
The flaw arose from a regression introduced in version 6.1.8. A previous security fix that treated UNC pathnames as unreadable was modified to restore functionality for legitimate use cases. However, this change inadvertently removed the protective code path that prevented attackers from exploiting addAttachment with malicious Phar archives accessed via UNC paths (e.g., \\attacker-server\share\malicious.phar).
Root Cause
The root cause is the removal of security controls during a functionality fix in PHPMailer 6.1.8. The original implementation rejected UNC pathnames entirely, which prevented legitimate use cases but also blocked exploitation. When this restriction was relaxed to allow valid UNC path handling, the code path that would trigger Phar deserialization became accessible to attackers. PHP's stream wrappers automatically deserialize Phar metadata when file operations are performed on phar:// URIs or file paths that PHP interprets as Phar archives.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by supplying a malicious UNC pathname to the addAttachment method. When PHPMailer processes this attachment, PHP's file handling functions may trigger Phar deserialization if the path references a Phar archive on an attacker-controlled SMB share. The deserialization process instantiates objects defined in the Phar's metadata, which can execute arbitrary code through PHP gadget chains present in the application's codebase or included libraries.
The attack typically involves hosting a malicious Phar archive containing a crafted serialized object on a network share, then triggering a vulnerable application to process an attachment path pointing to this archive.
Detection Methods for CVE-2020-36326
Indicators of Compromise
- Presence of UNC paths (starting with \\) in email attachment parameters or logs
- Outbound SMB connections (port 445) from web servers to unexpected external hosts
- Unexpected PHP object instantiation or execution patterns in application logs
- File access attempts to .phar files from unexpected network locations
Detection Strategies
- Monitor application logs for UNC path patterns in PHPMailer-related functions
- Implement network egress filtering to detect and block outbound SMB traffic from web application servers
- Deploy file integrity monitoring on critical application files to detect signs of code execution
- Use static analysis tools to identify usage of vulnerable PHPMailer versions in codebases
Monitoring Recommendations
- Enable verbose logging for PHPMailer operations to capture attachment paths
- Configure web application firewalls to detect and alert on UNC path injection attempts
- Monitor for unusual process spawning from PHP/web server processes
- Audit dependencies regularly to identify outdated PHPMailer installations
How to Mitigate CVE-2020-36326
Immediate Actions Required
- Upgrade PHPMailer to version 6.4.1 or later immediately
- Audit all applications using PHPMailer to identify vulnerable versions
- Implement input validation to reject UNC pathnames in attachment handling
- Review WordPress installations and update to versions with patched PHPMailer bundles
Patch Information
The PHPMailer project has released a security fix addressing this vulnerability. The patch is available in the PHPMailer GitHub commit. Fedora has also issued package announcements for updated PHPMailer packages.
Workarounds
- Implement strict input validation to block UNC paths (paths starting with \\ or containing phar:// wrappers) before passing to addAttachment
- Configure php.ini to disable Phar stream wrapper by setting phar.readonly = 1 if Phar functionality is not required
- Use network-level controls to block outbound SMB connections from web servers
- Implement application-level allowlisting for attachment file paths
# PHP configuration to restrict Phar operations
# Add to php.ini or application-specific PHP configuration
phar.readonly = 1
# Disable phar stream wrapper if not needed (requires PHP extension disable)
# Add to disable_functions in php.ini
disable_functions = phar://
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
