PHP mail函数绕过safe_mode限制执行命令漏洞

漏洞信息详情

PHP mail函数绕过safe_mode限制执行命令漏洞

• CNNVD编号：CNNVD-200106-211
• 危害等级： 高危
  
  
• CVE编号：
  CVE-2001-1246
  
• 漏洞类型：
  
  
  设计错误
  
• 发布时间：
  
  2001-06-30
  
• 威胁类型：
  
  
  远程
  
• 更新时间：
  
  2005-05-02
  
• 厂        商：
  
  php
• 漏洞来源：
  Wojciech Purczynsk…

PHP是一种流行的WEB服务器端编程语言，它功能强大，简单易用，在很多Unix操作系统默认都安装了PHP， 它也可以在Windows系统下运行。
PHP函数mail的第五个参数存在漏洞，远程攻击者可能利用此漏洞结构CGI脚本中的漏洞绕过PHP的safe_mode的限制执行系统命令。
从PHP-4.0.5开始，mail函数引入了第五个参数。去年被发现该参数没有很好过滤shell字符使得可以绕过safe_mode的限制执行系统命令。( http：//www.nsfocus.com/index.php?act=sec_bug＆do=view＆bug_id=1593 )该漏洞在PHP-4.0.6被修复。
然而，PHP的mail函数仍然存在漏洞。mail函数的第五个参数可以在发送mail的时候给MTA(php.ini的sendmail_path设定，默认都是sendmail)传递额外的选项参数，sendmail的-Cfile选项能够改变配置文件，利用sendmail的特性，我们可以在配置文件里指定执行命令，从而使得PHP的mail函数绕过safe_mode的限制来执行任意系统命令。

临时解决方法：
如果您不能立刻安装补丁或者升级，CNNVD建议您采取以下措施以降低威胁：

* 如果您的主机有其它Web用户可以建立PHP脚本，请在php.ini里暂时关闭mail函数：

disable_functions = mail

然后重启WEB Server。

* 使用PHP的最新CVS代码重新编译PHP。
厂商补丁：
Debian
——
Debian已经为此发布了一个安全公告(DSA-168-1)以及相应补丁:

DSA-168-1：New PHP packages fix several vulnerabilities

链接：http://www.debian.org/security/2002/dsa-168” target=”_blank”>
http://www.debian.org/security/2002/dsa-168

补丁下载：

Source archives:

http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18-0potato1.2.dsc” target=”_blank”>
http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18-0potato1.2.dsc

Size/MD5 checksum: 1079 82d2b9adff31130eafe78fe9c647d098

http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18-0potato1.2.diff.gz” target=”_blank”>
http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18-0potato1.2.diff.gz

Size/MD5 checksum: 39264 e44f4917ce887f53ac7019ab4e3692ba

http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18.orig.tar.gz” target=”_blank”>
http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18.orig.tar.gz

Size/MD5 checksum: 2203818 da541ac71d951c47a011ceb26664ba2d

http://security.debian.org/pool/updates/main/p/php4/php4_4.0.3pl1-0potato4.dsc” target=”_blank”>
http://security.debian.org/pool/updates/main/p/php4/php4_4.0.3pl1-0potato4.dsc

Size/MD5 checksum: 1125 e9b5dbf3554c63dd654e69c83da63a97

http://security.debian.org/pool/updates/main/p/php4/php4_4.0.3pl1-0potato4.diff.gz” target=”_blank”>
http://security.debian.org/pool/updates/main/p/php4/php4_4.0.3pl1-0potato4.diff.gz

Size/MD5 checksum: 134587 9a862082a0b60f6e2f0fa9c993d3ff19

http://security.debian.org/pool/updates/main/p/php4/php4_4.0.3pl1.orig.tar.gz” target=”_blank”>
http://security.debian.org/pool/updates/main/p/php4/php4_4.0.3pl1.orig.tar.gz

Size/MD5 checksum: 2214630 e65b706a7fc4469d1ccd564ef8a2c534

Alpha architecture:

http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18-0potato1.2_alpha.deb” target=”_blank”>
http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18-0potato1.2_alpha.deb

Size/MD5 checksum: 438822 748bb657dff328c22920c186e2ab83a1

http://security.debian.org/pool/updates/main/p/php3/php3-cgi_3.0.18-0potato1.2_alpha.deb” target=”_blank”>
http://security.debian.org/pool/updates/main/p/php3/php3-cgi_3.0.18-0potato1.2_alpha.deb

Size/MD5 checksum: 619332 e9dca7c64949f2d635ff5ed7da682c5d

http://security.debian.org/pool/updates/main/p/php4/php4_4.0.3pl1-0potato4_alpha.deb” target=”_blank”>
http://security.debian.org/pool/updates/main/p/php4/php4_4.0.3pl1-0potato4_alpha.deb

Size/MD5 checksum: 520090 76a0ac1f943c108f28a4238723415367

http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.0.3pl1-0potato4_alpha.deb” target=”_blank”>
http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.0.3pl1-0potato4_alpha.deb

Size/MD5 checksum: 868874 b8041d6976c11fbb63d0481869351658

ARM architecture:

http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18-0potato1.2_arm.deb” target=”_blank”>
http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18-0potato1.2_arm.deb

Size/MD5 checksum: 379276 3900254a218ea8b08f12adcee5826978

http://security.debian.org/pool/updates/main/p/php3/php3-cgi_3.0.18-0potato1.2_arm.deb” target=”_blank”>
http://security.debian.org/pool/updates/main/p/php3/php3-cgi_3.0.18-0potato1.2_arm.deb

Size/MD5 checksum: 490638 de60ee781cd3e2dc820fef82a1fe08a8

Intel IA-32 architecture:

http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18-0potato1.2_i386.deb” target=”_blank”>
http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18-0potato1.2_i386.deb

Size/MD5 checksum: 359858 6ee0615cac086a0da432ed40e0edab68

http://security.debian.org/pool/updates/main/p/php3/php3-cgi_3.0.18-0potato1.2_i386.deb” target=”_blank”>
http://security.debian.org/pool/updates/main/p/php3/php3-cgi_3.0.18-0potato1.2_i386.deb

Size/MD5 checksum: 458174 be4d1d9c54ba0207f39dedfaaaa7d748

http://security.debian.org/pool/updates/main/p/php4/php4_4.0.3pl1-0potato4_i386.deb” target=”_blank”>
http://security.debian.org/pool/updates/main/p/php4/php4_4.0.3pl1-0potato4_i386.deb

Size/MD5 checksum: 412254 37751e39ac9688d17965cf947ed7f6fc

http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.0.3pl1-0potato4_i386.deb” target=”_blank”>
http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.0.3pl1-0potato4_i386.deb

Size/MD5 checksum: 635076 b1dfc5587ea2719ff5a789fc02bc27ec

Motorola 680×0 architecture:

http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18-0potato1.2_m68k.deb” target=”_blank”>
http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18-0potato1.2_m68k.deb

Size/MD5 checksum: 355170 9b7fef1df1cc28988eb3f7fdde94dd61

http://security.debian.org/pool/updates/main/p/php3/php3-cgi_3.0.18-0potato1.2_m68k.deb” target=”_blank”>
http://security.debian.org/pool/updates/main/p/php3/php3-cgi_3.0.18-0potato1.2_m68k.deb

Size/MD5 checksum: 429244 1aec470dce3cc9babe341661c7023281

http://security.debian.org/pool/updates/main/p/php4/php4_4.0.3pl1-0potato4_m68k.deb” target=”_blank”>
http://security.debian.org/pool/updates/main/p/php4/php4_4.0.3pl1-0potato4_m68k.deb

Size/MD5 checksum: 408462 29b1bc7739a65d4ebd95d848bccbaf5c

http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.0.3pl1-0potato4_m68k.deb” target=”_blank”>
http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.0.3pl1-0potato4_m68k.deb

Size/MD5 checksum: 592990 2d3fbdc339ba1692d1c7e98fc50b9920

PowerPC architecture:

http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18-0potato1.2_powerpc.deb” target=”_blank”>
http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18-0potato1.2_powerpc.deb

Size/MD5 checksum: 380012 c2990c5ec38b1fc4d218a51c750f9963

http://security.debian.org/pool/updates/main/p/php3/php3-cgi_3.0.18-0potato1.2_powerpc.deb” target=”_blank”>
http://security.debian.org/pool/updates/main/p/php3/php3-cgi_3.0.18-0potato1.2_powerpc.deb

Size/MD5 checksum: 492568 eebeab3f920fad4812f418045750a489

http://security.debian.org/pool/updates/main/p/php4/php4_4.0.3pl1-0potato4_powerpc.deb” target=”_blank”>
http://security.debian.org/pool/updates/main/p/php4/php4_4.0.3pl1-0potato4_powerpc.deb

Size/MD5 checksum: 451892 54e8183df00abee5c8498b4caed0a679

http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.0.3pl1-0potato4_powerpc.deb” target=”_blank”>
http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.0.3pl1-0potato4_powerpc.deb

Size/MD5 checksum: 689728 bd2aeebd0605f35395106a4ce0c76cef

Sun Sparc architecture:

http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18-0potato1.2_sparc.deb” target=”_blank”>
http://security.debian.org/pool/updates/main/p/php3/php3_3.0.18-0potato1.2_sparc.deb

Size/MD5 checksum: 371252 f3a0fb13377a8b5b67a851d2c204b87d

http://security.debian.org/pool/updates/main/p/php3/php3-cgi_3.0.18-0potato1.2_sparc.deb” target=”_blank”>
http://security.debian.org/pool/updates/main/p/php3/php3-cgi_3.0.18-0potato1.2_sparc.deb

Size/MD5 checksum: 483476 e749a895f8e9d429d7e3d6eb0f35a945

http://security.debian.org/pool/updates/main/p/php4/php4_4.0.3pl1-0potato4_sparc.deb” target=”_blank”>
http://security.debian.org/pool/updates/main/p/php4/php4_4.0.3pl1-0potato4_sparc.deb

Size/MD5 checksum: 435060 be65d0d8c66e0bdcf5aa3a337a019ea6

http://security.debian.org/pool/updates/main/p/php4/php4-cgi_4.0.3pl1-0potato4_sparc.deb” target=”_blank”>
http://security.debian.org/pool/updates/main/p/php4/php4-c