|mail() vulnerability up to php 4.2.2 [message #7209]
||Mon, 11 November 2002 20:51
just found this Redhat advisory, which may apply to all other folks using an older php version:
|the original Redhat advisory|
[...]PHP versions up to and including 4.2.2 contain vulnerabilities in the mail()
function allowing local script authors to bypass safe mode restrictions
and possibly allowing remote attackers to insert arbitrary mail headers and
content into the message.
2. Relevant releases/architectures:
Red Hat Linux 7.0 - alpha, i386
Red Hat Linux 7.1 - alpha, i386, ia64
Red Hat Linux 7.2 - i386, ia64
Red Hat Linux 7.3 - i386
3. Problem description:
PHP is an HTML-embedded scripting language commonly used with the Apache
The mail function in PHP 4.x to 4.2.2 may allow local script authors to
bypass safe mode restrictions and modify command line arguments to the
MTA (such as Sendmail) in the fifth argument to mail(), altering MTA
behavior and possibly executing arbitrary local commands.
The mail function in PHP 4.x to 4.2.2 does not filter ASCII control
characters from its arguments, which could allow remote attackers to
modify mail message content, including mail headers, and possibly use
PHP as a "spam proxy."
Script authors should note that all input data should be checked for
unsafe data by any PHP scripts which call functions such as mail().[...]
Those who can should upgrade their version. It's always a good idea to grab the latest cvs-stable-sources and build a binary of one's own.
|Re: mail() vulnerability up to php 4.2.2 [message #7210 is a reply to message #7209]
||Mon, 11 November 2002 21:12
This vunreability is rather 'bogus', it only affects admins who think they've secured their PHP installation by using safe_mode. This particular 'vunreability' allow the user on the server to use PHP's mail() function to execute command by using the 5th argument.|
This is fairly harmless since the commands will be executed as the user running the script, in web server enviroment the 'nobody' user...
FUDforum Core Developer