Hi. I might be having a case of deja vu, because this problem sounds familiar. Is this problem different from the one posted by Joost Pol < joostat_private > on Sat Jun 30 2001 12:40:06 ("php breaks safe mode")? In that one, a problem with an extra 5th parameter that was added to the mail() command and broke safemode was described, affecting 4.0.5. See: http://www.securityfocus.com/bid/2954 Also, from January 2000 there was a report of a problem in PHP 3 where the popen() command, used by mail(), fails to be applied to the EscapeShellCmd() command. See: http://www.securityfocus.com/bid/911 So, is the problem w/ popen() or with mail()? Stuart ---------------------------- Stuart Moore SecurityTracker.com SecurityGlobal.net LLC smoore @ securityglobal.net ---------------------------- ----------------------------------------------------------------- php mail() function does not do check for escape shell commandes, even if php is running in safe_mode. So it's may be possible to bypass the safe_mode restriction and gain shell access. Affected: php4.0.6 php4.0.5 Significatives lines of ext/standard/mail.c: >extra_cmd = (*argv[4])->value.str.val; >strcat (sendmail_cmd, extra_cmd); >sendmail = popen(sendmail_cmd, "w"); Exploit: mail("totoat_private", "test", "test", "test", "; shell_cmd"); -----------------------------------------------------------------
This archive was generated by hypermail 2b30 : Thu Jul 19 2001 - 09:38:39 PDT