Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:11633
HistoryFeb 28, 2006 - 12:00 a.m.

[SA18694] PHP "mb_send_mail()" and IMAP Functions Security Bypass

2006-02-2800:00:00
vulners.com
9

TITLE:
PHP "mb_send_mail()" and IMAP Functions Security Bypass

SECUNIA ADVISORY ID:
SA18694

VERIFY ADVISORY:
http://secunia.com/advisories/18694/

CRITICAL:
Less critical

IMPACT:
Security Bypass

WHERE:
Local system

SOFTWARE:
PHP 4.0.x
http://secunia.com/product/1655/
PHP 4.1.x
http://secunia.com/product/1654/
PHP 4.2.x
http://secunia.com/product/105/
PHP 4.3.x
http://secunia.com/product/922/
PHP 4.4.x
http://secunia.com/product/5768/
PHP 5.0.x
http://secunia.com/product/3919/
PHP 5.1.x
http://secunia.com/product/6796/

DESCRIPTION:
Cdric Clerget has discovered two vulnerabilities in PHP, which can be
exploited by malicious people to bypass certain security
restrictions.

1) The PHP "mb_send_mail()" function allows additional parameters to
be passed to sendmail via the "additional_parameter" parameter. This
can be exploited to cause sendmail to read arbitrary files on the
system as configuration file and saving the resulting log file to
arbitrary writable directories. The saved log file may contain
portions of the file that was read as configuration file.

Example:
$additional_param = "-C ".$file_to_read." -X
".getcwd()."/".$output_file;
mb_send_mail($email_address, NULL, NULL, NULL, $additional_param);

Successful exploitation allows the bypassing of certain "safe_mode"
and "open_basedir" restrictions.

The vulnerability has been confirmed in version 5.1.2 and also
reported in version 4.x. Other versions may also be affected.

2) The PHP imap functions e.g. "imap_open()", "imap_body()", and
"imap_list()" can be exploited to read arbitrary files and obtain
listings of arbitrary directories even when "safe_mode" and
"open_basedir" are configured. It is reportedly also possible to
create, delete, and rename files with apache privileges using the
"imap_createmailbox()", "imap_deletemailbox()", and
"imap_renamemailbox()" functions.

Successful exploitation allows bypassing of certain "safe_mode" and
"open_basedir" restrictions.

The vulnerability has been confirmed in PHP version 4.4.2 compiled
with c_client 2004g. Other versions may also be affected.

SOLUTION:
Do not compile PHP to enable support of the mbstring or imap
functions if they are not required.

PROVIDED AND/OR DISCOVERED BY:
Cdric Clerget


About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.

Subscribe:
http://secunia.com/secunia_security_advisories/

Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/

Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.