http://qa.mandrakesoft.com/show_bug.cgi?id=4610
[EMAIL PROTECTED] changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |NEW
Ever Confirmed| |1
------- Additional Comments From [EMAIL PROTECTED] 2003-09-08 11:35 -------
confirmed mail() is broken.
--
Configure bugmail: http://qa.mandrakesoft.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
------- Reminder: -------
assigned_to: [EMAIL PROTECTED]
status: NEW
creation_date:
description:
We've installed the security updates for PHP a few days ago on out Mandrake 8.2
www server.
Today, we've noticed that our web application fails to send mails.
In /var/log/messages we can see the following error:
"mail() is not supported in this PHP build"
It seems that mail support was left out when compiling the package... :(
The description on MandrakeUpdate says:
"A vulnerability was discovered in the transparent session ID support
in PHP4 prior to version 4.3.2. It did not properly escape user-
supplied input prior to inserting it in the generated web page. This
could be exploited by an attacker to execute embedded scripts within
the context of the generated HTML (CAN-2003-0442).
As well, two vulnerabilities had not been patched in the PHP packages
included with Mandrake Linux 8.2: The mail() function did not filter
ASCII control filters from its arguments, which could allow an attacker
to modify the mail message content (CAN-2002-0986). Another
vulnerability in the mail() function would allow a remote attacker to
bypass safe mode restrictions and modify the command line arguments
passed to the MTA in the fifth argument (CAN-2002-0985).
All users are encouraged to upgrade to these patched packages."
Well, disabling mail() completely is not acceptable solution! There are
applications that depend on this functionality. I hop this is just a typo in RPM
package, not the policy of this security fix...
