Bugtraq mailing list archives

Re: php mail function bypass safe_mode restriction

From: Salim Gasmi <salim () sdv fr>
Date: Wed, 18 Jul 2001 19:07:42 +0200

At 18/07/2001 02:53, Laurent Sintes wrote:

php mail() function does not do check for escape shell commandes,
even if php is running in safe_mode.

So it's may be possible to bypass the safe_mode restriction and gain
shell access.

Affected:
php4.0.6
php4.0.5

Significatives lines of ext/standard/mail.c:

>extra_cmd = (*argv[4])->value.str.val;
>strcat (sendmail_cmd, extra_cmd);
>sendmail = popen(sendmail_cmd, "w");

Exploit:
mail("toto () toto com",
         "test",
         "test",
         "test",
        "; shell_cmd");


I confirm, this works ...

A very trivial patch if like me you cannot disable the mail() function is to:

Add this line:  extra_cmd=NULL;

in file ext/standard/mail.c, (line #152, juste before if (extra_cmd !=NULL) { ) :

and recompile php.

This will force the parameter extra_cmd to NULL and thus disabling the bug.

This is a fast and trivial patch, the right way is to unescape allcharacters in extra_cmd.


Salim
***************************************************
Gasmi Salim - SdV Plurimedia  <http://www.sdv.fr>
Directeur technique / C.T.O

PGP Key available at: http://www.gasmi.net/pgp.txt
***************************************************

Current thread:

php mail function bypass safe_mode restriction Laurent Sintes (Jul 18)
- Re: php mail function bypass safe_mode restriction Salim Gasmi (Jul 18)
  - Re: php mail function bypass safe_mode restriction Laurent Sintes (Jul 19)
- <Possible follow-ups>
- Re: php mail function bypass safe_mode restriction Laurent Sintes (Jul 19)
  - Re: php mail function bypass safe_mode restriction Jon Ribbens (Jul 19)
- Re: php mail function bypass safe_mode restriction Stuart Moore (Jul 19)