[PEAR-BUG] Bug #16200 [Csd->Opn]: security hole allow to read/write Arbitrary File

Edit report at http://pear.php.net/bugs/bug.php?id=16200&edit=1

ID: 16200
Updated by: alec@alec.pl
Reported By: root at 80sec dot com
Summary: security hole allow to read/write Arbitrary File
-Status: Closed
+Status: Open
Type: Bug
Package: Mail
Operating System: linux
Package Version: 1.1.14
PHP Version: 5.2.5
Assigned To: davidc
Roadmap Versions:
New Comment:

-Status: Closed
+Status: Open



Previous Comments:
------------------------------------------------------------------------

[2009-11-21 08:19:39] rgeissert

The fix is incomplete, $recipients also needs to be properly escaped.

- $recipients = escapeShellCmd(implode(' ', $recipients));
+ $recipients = implode(' ', array_map('escapeshellarg',
$recipients));

------------------------------------------------------------------------

[2009-11-20 13:08:45] dnikolaenko

Please request a CVE identifier for this bug to be noticed in Linux
distros.

------------------------------------------------------------------------

[2009-05-09 16:17:14] davidc

-Status: Critical
+Status: Closed

This bug has been fixed in CVS.

If this was a documentation problem, the fix will appear on
pear.php.net by the end of next Sunday (CET).

If this was a problem with the pear.php.net website, the change should
be live shortly.

Otherwise, the fix will appear in the package's next release.

Thank you for the report and for helping us make PEAR better.

Could you guys please roll a release? Cheers.

------------------------------------------------------------------------

[2009-05-09 16:16:49] davidc

-Assigned To:
+Assigned To: davidc


------------------------------------------------------------------------

[2009-05-08 05:37:52] doconnor

Above patch adds in Validate and validates the from address is a valid
email.

This may not be correct behaviour.
This may also still be exploitable by targetting different arguments.

------------------------------------------------------------------------

The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://pear.php.net/bugs/bug.php?id=16200