Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sun, 25 Nov 2018 14:30:06 +0100
From: Salvatore Bonaccorso <carnil@...ian.org>
To: oss-security@...ts.openwall.com
Subject: Re: PHP imap_open() script injection

Hi,

On Thu, Nov 22, 2018 at 09:02:14PM +0100, Hanno Böck wrote:
> Hi,
> 
> This was apparently posted on some russian forum recently and then
> re-posted to github:
> https://antichat.com/threads/463395/#post-4254681
> https://github.com/Bo0oM/PHP_imap_open_exploit/blob/master/exploit.php
> 
> PoC code:
> $server = "x -oProxyCommand=echo\tZWNobyAnMTIzNDU2Nzg5MCc+L3RtcC90ZXN0MDAwMQo=|base64\t-d|sh}";
> imap_open('{'.$server.':143/imap}INBOX', '', '') or die("\n\nError: ".imap_last_error());
> 
> It's pretty self explaining, it seems imap_open() will pass things to
> ssh and this is vulnerable to a shell injection.
> 
> Impact would be mostly relevant if someone has some imap functionality
> where a user can define a custom imap server. (Though it might also be
> used as a bypass for environments where exec() and similar functions
> are restricted.)
> 
> I reported it to upstream PHP a few days ago, it was closed as a
> duplicate, so it seems they already knew about it. It's unfixed in
> current versions.

CVE-2018-19518 has been assigned by MITRE for this issue.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19518

Regards,
Salvatore

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.