PHP mb_send_mail多个安全绕过漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1109833 漏洞类型 访问验证错误
发布时间 2006-02-28 更新时间 2006-03-07
CVE编号 CVE-2006-1014 CNNVD-ID CNNVD-200603-074
漏洞平台 PHP CVSS评分 3.2
|漏洞来源
https://www.exploit-db.com/exploits/27335
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200603-074
|漏洞详情
在某些PHP4.x和5.x应用程序中的参数注入漏洞,当发送邮件和接收远程输入使用到位于mb_send_mail函数中的additional_parameters参数时,允许按内容攻击者通过向发送邮件提供extra-C和-X参数,阅读和创建任意文件。注意:这是一类技术性漏洞,而非特殊情况,对此可能尚有争论。
|漏洞EXP
source: http://www.securityfocus.com/bid/16878/info
 
PHP is prone to multiple input-validation vulnerabilities that could allow 'safe_mode' and 'open_basedir' security settings to be bypassed. These issues reside in the 'mb_send_mail()' function, the 'mail()' function, and various PHP IMAP functions.

mb_send_mail($email_address, NULL, NULL, NULL, $additional_param);
|参考资料

来源:BUGTRAQ
名称:20060228(PHP)mb_send_mailsecuritybypass
链接:http://www.securityfocus.com/archive/1/archive/1/426342/100/0/threaded
来源:SECUNIA
名称:18694
链接:http://secunia.com/advisories/18694
来源:VUPEN
名称:ADV-2006-0772
链接:http://www.frsirt.com/english/advisories/2006/0772
来源:BID
名称:16878
链接:http://www.securityfocus.com/bid/16878
来源:OSVDB
名称:23534
链接:http://www.osvdb.org/23534
来源:SUSE
名称:SUSE-SA:2006:024
链接:http://www.novell.com/linux/security/advisories/05-05-2006.html
来源:SECUNIA
名称:19979
链接:http://secunia.com/advisories/19979