Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » PHP: Bypass safe_mode and inject ASCII control chars with mail()

PHP: Bypass safe_mode and inject ASCII control chars with mail()

by Nikola Strahija on August 24th, 2002 Two vulnerabilities exists in mail() PHP function. The first one allows to execute any program/script bypassing safe_mode restriction, the second one may give an open-relay script if mail() function is not carefully used in PHP scripts.


Description:
============

PHP is a widely-used general-purpose scripting language that is especially
suited for Web development and can be embedded into HTML.


Details:
========

(1) Bypassing safe_mode restriction

If PHP is configured with safe_mode option enabled, special restriction
are set up including limit on external binaries that may be executed
from within a PHP script.

The 5th argument to the mail() function (introduced in version 4.0.5)
allow specifying command line option to the sendmail binary. Some time
ago a bug was found in the mail() function allowing to pass shell
meta-characters in the 5th argument, leading to execute arbitrary shell
commands or external binaries. This bug was fixed in version 4.1.0.

However, mail() function is still vulnerable because it allows to pass
command line arguments to the sendmail binary which gives the ability to
influence its behavior (i.e. by using non-default aliases, custom
configuration files - other cases are possible with others MTAs)

Passing 5th argument should be disabled if PHP is configured in safe_mode.

Exploit attached at the end.

(2) Injecting ASCII control characters into mail() arguments

Arbitrary ASCII control characters may be injected into string arguments
of mail() function. If mail() arguments are takeon from user's input it
may give the user ability to alter message content including mail
headers.

Example of such a vulnerability may be found on PHP.net site:

(URL wrapped for readability)
http://www.php.net/mailing-lists.php?
[email protected]%[email protected]%0a

PHP should do content filtering before creating message body sent
with "sendmail -t" command.


Impact:
=======

(1) Any user may bypass safe_mode restrictions if mail() function is not
disabled.
(2) Open-relay PHP script if user's data is poorly or not filtered and
passed to the mail() function.


Exploit:
========

Sample exploit for (1) that works with sendmail MTA:

- -----8
- -----8


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »