From: [EMAIL PROTECTED] Operating system: Any PHP version: 4.0.5 PHP Bug Type: *Mail Related Bug description: Security bug in php 4.0.5+ http://www.net-security.org/text/bugs/995534103,28541,.shtml: PHP Mail Function Vulnerability Posted on 19.7.2001 php mail() function does not do check for escape shell commandes, even if php is running in safe_mode. So it's may be possible to bypass the safe_mode restriction and gain shell access. Affected: php4.0.6 php4.0.5 Significatives lines of ext/standard/mail.c: >extra_cmd = (*argv[4])->value.str.val; >strcat (sendmail_cmd, extra_cmd); >sendmail = popen(sendmail_cmd, "w"); Exploit: mail("[EMAIL PROTECTED]", "test", "test", "test", "; shell_cmd"); -- Edit bug report at: http://bugs.php.net/?id=12268&edit=1 -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
