[21617] in bugtraq
Re: php mail function bypass safe_mode restriction
daemon@ATHENA.MIT.EDU (Salim Gasmi)
Wed Jul 18 14:07:44 2001
Message-Id: <5.1.0.14.0.20010718190033.033ce8c0@panoramix.sdv.fr>
Date: Wed, 18 Jul 2001 19:07:42 +0200
To: Laurent Sintes <sintes@nfrance.com>, bugtraq@securityfocus.com
From: Salim Gasmi <salim@sdv.fr>
In-Reply-To: <20010718025357.A19592@albertine.nfrance.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
At 18/07/2001 02:53, Laurent Sintes wrote:
>php mail() function does not do check for escape shell commandes,
>even if php is running in safe_mode.
>
>So it's may be possible to bypass the safe_mode restriction and gain
>shell access.
>
>Affected:
>php4.0.6
>php4.0.5
>
>Significatives lines of ext/standard/mail.c:
>
> >extra_cmd = (*argv[4])->value.str.val;
> >strcat (sendmail_cmd, extra_cmd);
> >sendmail = popen(sendmail_cmd, "w");
>
>Exploit:
>mail("toto@toto.com",
> "test",
> "test",
> "test",
> "; shell_cmd");
I confirm, this works ...
A very trivial patch if like me you cannot disable the mail() function is to:
Add this line: extra_cmd=NULL;
in file ext/standard/mail.c, (line #152, juste before if (extra_cmd !=
NULL) { ) :
and recompile php.
This will force the parameter extra_cmd to NULL and thus disabling the bug.
This is a fast and trivial patch, the right way is to unescape all
characters in extra_cmd.
Salim
***************************************************
Gasmi Salim - SdV Plurimedia <http://www.sdv.fr>
Directeur technique / C.T.O
PGP Key available at: http://www.gasmi.net/pgp.txt
***************************************************
