why we can't use additional_parameters in safe_mode?

Question

why we can't use additional_parameters in safe_mode?

falconz opened this issue 8 years ago · 7 comments

when I see to if else condition
if (ini_get('safe_mode') or !$this->UseSendmailOptions or is_null($params)) {
$result = @mail($to, $subject, $body, $header);
} else {
$result = @mail($to, $subject, $body, $header, $params);
}

in this case, I think if safe_mod is ON but $this->UseSendmailOptions is TRUE , the second condition "$result = @mail($to, $subject, $body, $header, $params);" still be processed
at 176 line code in class.phpmailer.php: "public $UseSendmailOptions = true;'

Answer 1 · 2017-02-07T13:35:09.000Z

Can you elaborate ? I didn't understand your point.

Answer 2 · 2017-02-07T14:07:45.000Z

in readme.md you said that "Then, the code flow goes to mailPassthru() function, which, if running in safe_mode won't be vulnerable to this flaw, as the following code states it"

Why?

Answer 3 · 2017-02-07T15:22:37.000Z

because of this line

if (ini_get('safe_mode') or !$this->UseSendmailOptions or is_null($params)) {

Answer 4 · 2017-02-07T15:25:02.000Z

but !$this->UseSendmailOptions is alway TRUE so when safe_mode FALSE, this line still happened

Answer 5 · 2017-02-07T15:58:06.000Z

!$this->UseSendmailOptions

is false in this scenario, look closer, there is a ! in the front of the variable.

Answer 6 · 2017-02-07T16:00:19.000Z

oh! sorry ! I got it. thank you!

Answer 7 · 2017-02-07T16:11:55.000Z

No problem ! For any further investigation, if you need, you can just use error_log("string"); , regenerate the imagem and run the exploit against it. So you will be able to see the execution flow.