Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: PHP :: php9.htm

PHP 4.0.x mail() does not check for shell escape codes



COMMAND

    php

SYSTEMS AFFECTED

    php 4.0.5, 4.0.6

PROBLEM

    Laurent Sintes posted following.  php mail() function does not  do
    check  for  escape  shell  commandes,  even  if  php is running in
    safe_mode.   So  it's  may  be  possible  to  bypass the safe_mode
    restriction and gain shell access.

    Significatives lines of ext/standard/mail.c:

        extra_cmd = (*argv[4])->value.str.val;
        strcat (sendmail_cmd, extra_cmd);
        sendmail = popen(sendmail_cmd, "w");

    Exploit:

    mail("toto@toto.com",
             "test",
             "test",
             "test",
            "; shell_cmd");

SOLUTION

    Salim Gasmi  sent following  very trivial  patch if  like him  you
    cannot disable the mail() function.  Add this line:

        extra_cmd=NULL;

    in file ext/standard/mail.c, (line #152, juste before

        if (extra_cmd != NULL) { )

    and recompile  php.   This will  force the  parameter extra_cmd to
    NULL and thus disabling the bug.

    This is a  fast and trivial  patch, the right  way is to  unescape
    all characters in extra_cmd.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH