CVE-2001-1246

PHP 4.0.5-4.1.0 - Command Injection via mail() Function 5th Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2001-1246. PoCs published by Wojciech Purczynski.

AI-analyzed exploit summary This exploit leverages a vulnerability in PHP's mail function to execute arbitrary commands by manipulating sendmail configuration files. It bypasses safe_mode restrictions by passing command-line arguments to sendmail, allowing local privilege escalation to the HTTP process UID.

Description

PHP 4.0.5 through 4.1.0 in safe mode does not properly cleanse the 5th parameter to the mail() function, which allows local users and possibly remote attackers to execute arbitrary commands via shell metacharacters.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Wojciech Purczynski · phplocalphp

https://www.exploit-db.com/exploits/20985

View Code ZIP pw:eip

This exploit leverages a vulnerability in PHP's mail function to execute arbitrary commands by manipulating sendmail configuration files. It bypasses safe_mode restrictions by passing command-line arguments to sendmail, allowing local privilege escalation to the HTTP process UID.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: PHP (versions affected by CVE-2001-1246)

No auth needed

Prerequisites: Local access to the system · PHP with safe_mode enabled · Write permissions to /tmp directory

MITRE ATT&CK