Re: php mail function bypass safe_mode restriction

From: Laurent Sintes (sintesat_private)
Date: Wed Jul 18 2001 - 11:03:39 PDT

Next message: Glynn Clements: "Re: Linux, too, sot of (Windows MS-DOS Device Name DoS vulnerabilities)"

Previous message: Phaedrus: "Re: long filename issue in Win9x"
Maybe in reply to: Laurent Sintes: "php mail function bypass safe_mode restriction"
Next in thread: Jon Ribbens: "Re: php mail function bypass safe_mode restriction"
Next in thread: Stuart Moore: "Re: php mail function bypass safe_mode restriction"
Reply: Jon Ribbens: "Re: php mail function bypass safe_mode restriction"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> Add this line:  extra_cmd=NULL;
> in file ext/standard/mail.c, (line #152, juste before if (extra_cmd !=
> NULL) { ) :
> and recompile php.

You can also use extra_cmd = php_escape_shell_cmd(extra_cmd);
to unescape all characters.

In latest CVS you can see
extra_cmd = php_escape_shell_arg(Z_STRVAL_PP(argv[4]));

But it is not a suffisant check because php_escape_shell_arg
does not escape all charaters.

See ext/standard/exec.c for php_escape_shell_* code.

Next message: Glynn Clements: "Re: Linux, too, sot of (Windows MS-DOS Device Name DoS vulnerabilities)"
Previous message: Phaedrus: "Re: long filename issue in Win9x"
Maybe in reply to: Laurent Sintes: "php mail function bypass safe_mode restriction"
Next in thread: Jon Ribbens: "Re: php mail function bypass safe_mode restriction"
Next in thread: Stuart Moore: "Re: php mail function bypass safe_mode restriction"
Reply: Jon Ribbens: "Re: php mail function bypass safe_mode restriction"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jul 19 2001 - 09:31:30 PDT