[21635] in bugtraq
Re: php mail function bypass safe_mode restriction
daemon@ATHENA.MIT.EDU (Laurent Sintes)
Thu Jul 19 12:03:43 2001
Date: Wed, 18 Jul 2001 20:03:39 +0200
From: Laurent Sintes <sintes@nfrance.com>
To: bugtraq@securityfocus.com
Message-ID: <20010718200339.A19480@albertine.nfrance.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <5.1.0.14.0.20010718190033.033ce8c0@panoramix.sdv.fr>; from salim@sdv.fr on Wed, Jul 18, 2001 at 07:07:42PM +0200
> Add this line: extra_cmd=NULL;
> in file ext/standard/mail.c, (line #152, juste before if (extra_cmd !=
> NULL) { ) :
> and recompile php.
You can also use extra_cmd = php_escape_shell_cmd(extra_cmd);
to unescape all characters.
In latest CVS you can see
extra_cmd = php_escape_shell_arg(Z_STRVAL_PP(argv[4]));
But it is not a suffisant check because php_escape_shell_arg
does not escape all charaters.
See ext/standard/exec.c for php_escape_shell_* code.
