PHP mail() function could be used to bypass safe mode restrictions

php-mail-safemode-bypass (9966)

Medium Risk

Description:

The mail() function in PHP fails to properly filter user-supplied input. If the safe_mode option is enabled in PHP, a remote attacker could bypass this restriction by passing malicious shell commands to the Mail Transport Agent (MTA) using the 5th argument to the mail() function, which would allow the attacker to execute commands on the system.

Consequences:

Bypass Security

Remedy:

Upgrade to the latest version of PHP (4.2.3 or later), available from the PHP Web site. See References.

For Debian GNU/Linux:
Upgrade to the latest PHP3 or PHP4 package, as listed below. Refer to DSA-168-1 for more information. See References.

Debian GNU/Linux 2.2 (potato) for PHP3: 3.0.18-0potato1.2 or later
Debian GNU/Linux 2.2 (potato) for PHP4: 4.0.3pl1-0potato4 or later
Debian GNU/Linux 3.0 (woody) for PHP3: 3.0.18-23.1woody1 or later
Debian GNU/Linux 3.0 (woody) for PHP4: 4.1.2-5 or later

For SuSE Linux:
Upgrade to the latest mod_php4 package, as listed below. Refer to SuSE Security Announcement SuSE-SA:2002:036 for more information. See References.

SuSE Linux: 8.0 (Intel): 4.1.0-257 or later
SuSE Linux: 7.3 (Intel): 4.0.6-193 or later
SuSE Linux: 7.3 (Sparc): 4.0.6-66 or later
SuSE Linux: 7.3 (PPC): 4.0.6-99 or later
SuSE Linux: 7.2 (Intel): 4.0.6-192 or later
SuSE Linux: 7.1 (Intel): 4.0.4pl1-142 or later
SuSE Linux: 7.1 (Alpha): 4.0.4pl1-54 or later
SuSE Linux: 7.1 (Sparc): 4.0.4pl1-45 or later
SuSE Linux: 7.1 (PPC): 4.0.4pl1-53 or later
SuSE Linux: 7.0 (Intel): 4.0.4pl1-135 or later
SuSE Linux: 7.0 (Alpha): 4.0.4pl1-55 or later
SuSE Linux: 7.0 (PPC): 4.0.4pl1-45 or later

For Red Hat Linux:
Upgrade to the latest PHP package, as listed below. Refer to RHSA-2002:213-06 for more information. See References.

Red Hat 7.0: 4.1.2-7.0.6 or later
Red Hat 7.1: 4.1.2-7.1.6 or later
Red Hat 7.2: 4.1.2-7.2.6 or later
Red Hat 7.3: 4.1.2-7.3.6 or later

For Conectiva Linux:
Upgrade to the latest PHP4 package, as listed below. Refer to Conectiva Linux Announcement CLSA-2002:545 for more information. See References.

Conectiva Linux 7.0: 4.1.1-1U70_5cl or later Conectiva Linux 8.0: 4.1.1-7U80_1cl or later

For Gentoo Linux:
Upgrade versions dev-php/php-4.2.2-r1 and/or dev-php/mod_php-4.2.2-r1 and earlier, as listed in Gentoo Linux Security Announcement 200211-005. See References.

For OpenPKG:
Upgrade to the latest php package, as listed below. Refer to OpenPKG Security Advisory OpenPKG-SA-2003.032-php for more information. See References.

OpenPKG CURRENT: 4.3.2-20030529 or later
OpenPKG 1.1: 4.2.2-1.1.2 or later

For other distributions: Contact your vendor for upgrade or patch information.

References:

• BugTraq Mailing List, Fri Aug 23 2002 - 02:30:40 CDT: PHP: Bypass safe_mode and inject ASCII control chars with mail().
• Conectiva Linux Announcement CLSA-2002:545: Safe mode bypass and other vulnerabilities.
• Gentoo Linux Security Announcement 200211-005: buffer overflow. (From LinuxSecurity archive)
• PHP Group Web site: PHP 4 ChangeLog.
• PHP Group Web site: PHP: Downloads.
• CVE-2002-0985: Argument injection vulnerability in the mail function for PHP 4.x to 4.2.2 may allow attackers to bypass safe mode restrictions and modify command line arguments to the MTA (e.g. sendmail) in the 5th argument to mail(), altering MTA behavior and possibly executing commands.
• DSA-168: php -- bypassing safe_mode
• MDKSA-2003:082: Updated php packages fix vulnerabilities
• MDKSA-2003:082-1: Updated php packages fix vulnerabilities
• OpenPKG-SA-2003.032: PHP
• OSVDB ID: 2111: PHP Mail Function ASCII Control Character Header Spoofing
• RHSA-2002-213: New PHP packages fix vulnerability in mail function
• RHSA-2002-214: php security update
• RHSA-2002-248: apache
• RHSA-2003-159: New PHP packages fix vulnerabilities

Platforms Affected:

• Conectiva Linux 6.0
• Conectiva Linux 7.0
• Debian Debian Linux 2.2
• Debian Debian Linux 3.0
• Gentoo Linux
• MandrakeSoft Mandrake Linux 8.2
• MandrakeSoft Mandrake Linux 8.2 PPC
• MandrakeSoft Mandrake Linux 9.0
• MandrakeSoft Mandrake Linux 9.1 PPC
• MandrakeSoft Mandrake Linux 9.1
• MandrakeSoft Mandrake Linux Corporate Server 2.1 X86_64
• MandrakeSoft Mandrake Linux Corporate Server 2.1
• MandrakeSoft Mandrake Multi Network Firewall 8.2
• Novell SuSE Linux Enterprise Server
• OpenPKG OpenPKG 1.1
• OpenPKG OpenPKG 1.2
• OpenPKG OpenPKG CURRENT
• PHP PHP 4.0 Beta1
• PHP PHP 4.0 Beta2
• PHP PHP 4.0 Beta3
• PHP PHP 4.0 Beta 4 Patch1
• PHP PHP 4.0 RC1
• PHP PHP 4.0 RC2
• PHP PHP 4.0 Beta4
• PHP PHP 4.0.0
• PHP PHP 4.0.1
• PHP PHP 4.0.2
• PHP PHP 4.0.3
• PHP PHP 4.0.4
• PHP PHP 4.0.5
• PHP PHP 4.0.6
• PHP PHP 4.0.7
• PHP PHP 4.1.0
• PHP PHP 4.1.1
• PHP PHP 4.1.2
• PHP PHP 4.1.3
• PHP PHP 4.2.0
• PHP PHP 4.2.1
• PHP PHP 4.2.2
• RedHat Enterprise Linux 2.1 AS
• RedHat Linux 7
• RedHat Linux 7.1
• RedHat Linux 7.1 for iSeries
• RedHat Linux 7.1 for pSeries
• RedHat Linux 7.2
• RedHat Linux 7.3
• RedHat Linux Advanced Workstation 2.1 Itanium
• RedHat Stronghold
• SuSE SuSE eMail Server III
• SUSE SuSE Linux 7.0
• SUSE SuSE Linux 7.1
• SUSE SuSE Linux 7.2
• SUSE SuSE Linux 7.3
• SUSE SuSE Linux 8.0
• SuSE SuSE Linux Connectivity Server
• SuSE SuSE Linux Office Server

Reported:

Aug 23, 2002

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page