At 18/07/2001 02:53, Laurent Sintes wrote: >php mail() function does not do check for escape shell commandes, >even if php is running in safe_mode. > >So it's may be possible to bypass the safe_mode restriction and gain >shell access. > >Affected: >php4.0.6 >php4.0.5 > >Significatives lines of ext/standard/mail.c: > > >extra_cmd = (*argv[4])->value.str.val; > >strcat (sendmail_cmd, extra_cmd); > >sendmail = popen(sendmail_cmd, "w"); > >Exploit: >mail("totoat_private", > "test", > "test", > "test", > "; shell_cmd"); I confirm, this works ... A very trivial patch if like me you cannot disable the mail() function is to: Add this line: extra_cmd=NULL; in file ext/standard/mail.c, (line #152, juste before if (extra_cmd != NULL) { ) : and recompile php. This will force the parameter extra_cmd to NULL and thus disabling the bug. This is a fast and trivial patch, the right way is to unescape all characters in extra_cmd. Salim *************************************************** Gasmi Salim - SdV Plurimedia <http://www.sdv.fr> Directeur technique / C.T.O PGP Key available at: http://www.gasmi.net/pgp.txt ***************************************************
This archive was generated by hypermail 2b30 : Wed Jul 18 2001 - 10:42:17 PDT