On 2017-05-09, Andrew C Aitchison <[email protected]> wrote: > On Tue, 9 May 2017, [email protected] wrote: > >> https://bugs.exim.org/show_bug.cgi?id=2118 >> >> Jasen Betts <[email protected]> changed: >> >> What |Removed |Added >> ---------------------------------------------------------------------------- >> CC| |[email protected] >> >> --- Comment #7 from Jasen Betts <[email protected]> --- >> It looks to me like a "shell injection" flaw in wordpress. > > Yes, but exim provides a language for the hacker to > modify the command after wordpress has sanitised it :-(
Argument 5 of php's mail() is mangled by escapshellcommand() and there's no clear documentation on how to separate arguments in input to escapshellcommand() Yet another failed attempt at security from php.net If they'd left mail()'s 5th argument unescaped escapeshellarg() could be invoked by the programmer as needed and security would be simple. but the PHP philisophy has always been to first ignore security and then to try to force security on the programmer (see "magic quotes" for an example of this) Given that PHP is wrong-headed and can't be fixed, and wordpress isn't going away or leaving PHP I reluctantly admint that dropping exim features when called sendmail seems like the least evil. -- This email has not been checked by half-arsed antivirus software -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
