Re: php mail function bypass safe_mode restriction

[Stuart Moore <info () securitytracker com>]

Hi.  I might be having a case of deja vu, because this problem sounds
familiar.  Is this problem different from the one posted by Joost Pol <
joost () contempt nl > on Sat Jun 30 2001 12:40:06 ("php breaks safe
mode")?  In that one, a problem with an extra 5th parameter that was
added to the mail() command and broke safemode was described, affecting
4.0.5.

See: http://www.securityfocus.com/bid/2954

Also, from January 2000 there was a report of a problem in PHP 3 where
the popen() command, used by mail(), fails to be applied to the
EscapeShellCmd() command.  

See: http://www.securityfocus.com/bid/911

So, is the problem w/ popen() or with mail()?

Stuart


----------------------------
Stuart Moore
SecurityTracker.com
SecurityGlobal.net LLC
smoore @ securityglobal.net
----------------------------



-----------------------------------------------------------------
php mail() function does not do check for escape shell commandes,
even if php is running in safe_mode.

So it's may be possible to bypass the safe_mode restriction and gain
shell access.

Affected:
php4.0.6
php4.0.5

Significatives lines of ext/standard/mail.c:

> extra_cmd = (*argv[4])->value.str.val;
> strcat (sendmail_cmd, extra_cmd);
> sendmail = popen(sendmail_cmd, "w");

Exploit:
mail("toto () toto com",
         "test",
         "test",
         "test",
        "; shell_cmd"); 

-----------------------------------------------------------------