Bugtraq mailing list archives
Re: php mail function bypass safe_mode restriction
From: Salim Gasmi <salim () sdv fr>
Date: Wed, 18 Jul 2001 19:07:42 +0200
At 18/07/2001 02:53, Laurent Sintes wrote:
php mail() function does not do check for escape shell commandes, even if php is running in safe_mode. So it's may be possible to bypass the safe_mode restriction and gain shell access. Affected: php4.0.6 php4.0.5 Significatives lines of ext/standard/mail.c: >extra_cmd = (*argv[4])->value.str.val; >strcat (sendmail_cmd, extra_cmd); >sendmail = popen(sendmail_cmd, "w"); Exploit: mail("toto () toto com", "test", "test", "test", "; shell_cmd");
I confirm, this works ... A very trivial patch if like me you cannot disable the mail() function is to: Add this line: extra_cmd=NULL;in file ext/standard/mail.c, (line #152, juste before if (extra_cmd != NULL) { ) :
and recompile php. This will force the parameter extra_cmd to NULL and thus disabling the bug.This is a fast and trivial patch, the right way is to unescape all characters in extra_cmd.
Salim *************************************************** Gasmi Salim - SdV Plurimedia <http://www.sdv.fr> Directeur technique / C.T.O PGP Key available at: http://www.gasmi.net/pgp.txt ***************************************************
Current thread:
- php mail function bypass safe_mode restriction Laurent Sintes (Jul 18)
- Re: php mail function bypass safe_mode restriction Salim Gasmi (Jul 18)
- Re: php mail function bypass safe_mode restriction Laurent Sintes (Jul 19)
- <Possible follow-ups>
- Re: php mail function bypass safe_mode restriction Laurent Sintes (Jul 19)
- Re: php mail function bypass safe_mode restriction Jon Ribbens (Jul 19)
- Re: php mail function bypass safe_mode restriction Stuart Moore (Jul 19)
- Re: php mail function bypass safe_mode restriction Salim Gasmi (Jul 18)