#192 popen command execution

closed
nobody
Phpmailer (265)
5
2014-08-25
2007-06-11
No

The second line of the SendmailSend function in class.phpmailer.php (line 393) is vulnerable to a shell command execution vulnerability due to a lack of input validation.

If the Sender property is set by the initiating script it is possible to execute arbitrary commands.

http://php.net/manual/en/function.popen.php#67107

A lot of PHP applications such as WordPress and Mantis use the PHPMailer class to send email, and is not always running with PHP safe_mode enabled.

The solution is to escape the input with the escapeshellarg() or escapeshellcmd() functions.

Cheers

Thor Larholm

Discussion

  • Cristian Rodriguez

    Logged In: YES
    user_id=710039
    Originator: NO

    patch to fix this quite obvious hole.

    Index: class.phpmailer.php

    --- class.phpmailer.php (revisión: 161)
    +++ class.phpmailer.php (copia de trabajo)
    @@ -424,9 +424,9 @@
    function SendmailSend($header, $body)
    {
    if ($this->Sender != "") {
    - $sendmail = sprintf("%s -oi -f %s -t", $this->Sendmail, $this->Sender);
    + $sendmail = sprintf("%s -oi -f %s -t", escapeshellcmd($this->Sendmail), escapeshellarg($this->Sender));
    } else {
    - $sendmail = sprintf("%s -oi -t", $this->Sendmail);
    + $sendmail = sprintf("%s -oi -t", escapeshellcmd($this->Sendmail));
    }

         if (!@$mail = popen($sendmail, "w")) {
    
     
  • Nobody/Anonymous

    HjVyXf skwcmucmcndr, [url=http://lcfanlrtgubn.com/]lcfanlrtgubn[/url], [link=http://egytootpaiqm.com/]egytootpaiqm[/link], http://fimojqbontrp.com/

     
  • Nobody/Anonymous

    QWDiLx izxtlddknxnb, [url=http://frfsgtcwpvld.com/]frfsgtcwpvld[/url], [link=http://fmmymlxmnmke.com/]fmmymlxmnmke[/link], http://lusoxcoewirh.com/

     
  • Nobody/Anonymous

    BhzgsB bhudgmqxgvxo, [url=http://bzdqwbstkzfn.com/]bzdqwbstkzfn[/url], [link=http://vfbnqyxpulsj.com/]vfbnqyxpulsj[/link], http://abgyenbdivin.com/

     
  • Nobody/Anonymous

    G0tUMt qseyilgychvx, [url=http://ongzqcpevpcl.com/]ongzqcpevpcl[/url], [link=http://rotomotvfcxp.com/]rotomotvfcxp[/link], http://ceyxowcatqfq.com/

     
  • Nobody/Anonymous

    dfTq3a xsfwwyndsfna, [url=http://rkvxdjcqczmf.com/]rkvxdjcqczmf[/url], [link=http://djehytgufzem.com/]djehytgufzem[/link], http://cgfugfawzuiz.com/

     
  • Nobody/Anonymous

    mIQLD8 pfpzkwphdfid, [url=http://nbiglmuexrir.com/]nbiglmuexrir[/url], [link=http://xltxwcibynnt.com/]xltxwcibynnt[/link], http://jeayyrpaoqdp.com/

     
  • Nobody/Anonymous

    mIQLD8 pfpzkwphdfid, [url=http://nbiglmuexrir.com/]nbiglmuexrir[/url], [link=http://xltxwcibynnt.com/]xltxwcibynnt[/link], http://jeayyrpaoqdp.com/

     
  • Nobody/Anonymous

    7ilxLL vadyubgcrjlp, [url=http://drzuargkoacc.com/]drzuargkoacc[/url], [link=http://ppvzfsdnsmqr.com/]ppvzfsdnsmqr[/link], http://umqznnypycmz.com/

     
  • Nobody/Anonymous

    pX0WV2 wiynsgidrvxr, [url=http://yjuxrpzyhzsy.com/]yjuxrpzyhzsy[/url], [link=http://htgkqcsbxhpg.com/]htgkqcsbxhpg[/link], http://oegiinafzocf.com/

     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks