Edit report at http://pear.php.net/bugs/bug.php?id=16200&edit=1
ID: 16200
Updated by: alec@alec.pl
Reported By: root at 80sec dot com
Summary: security hole allow to read/write Arbitrary File
-Status: Closed
+Status: Open
Type: Bug
Package: Mail
Operating System: linux
Package Version: 1.1.14
PHP Version: 5.2.5
Assigned To: davidc
Roadmap Versions:
New Comment:
-Status: Closed
+Status: Open
Previous Comments:
------------------------------------------------------------------------
[2009-11-21 08:19:39] rgeissert
The fix is incomplete, $recipients also needs to be properly escaped.
- $recipients = escapeShellCmd(implode(' ', $recipients));
+ $recipients = implode(' ', array_map('escapeshellarg',
$recipients));
------------------------------------------------------------------------
[2009-11-20 13:08:45] dnikolaenko
Please request a CVE identifier for this bug to be noticed in Linux
distros.
------------------------------------------------------------------------
[2009-05-09 16:17:14] davidc
-Status: Critical
+Status: Closed
This bug has been fixed in CVS.
If this was a documentation problem, the fix will appear on
pear.php.net by the end of next Sunday (CET).
If this was a problem with the pear.php.net website, the change should
be live shortly.
Otherwise, the fix will appear in the package's next release.
Thank you for the report and for helping us make PEAR better.
Could you guys please roll a release? Cheers.
------------------------------------------------------------------------
[2009-05-09 16:16:49] davidc
-Assigned To:
+Assigned To: davidc
------------------------------------------------------------------------
[2009-05-08 05:37:52] doconnor
Above patch adds in Validate and validates the from address is a valid
email.
This may not be correct behaviour.
This may also still be exploitable by targetting different arguments.
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://pear.php.net/bugs/bug.php?id=16200