[VIM] PHP-Fusion Remote Command Execution Vulnerability

George A. Theall theall at tenable.com
Wed Aug 11 01:15:47 CDT 2010

Exploit DB 14405 / Bugtraq 41758, which cover vulnerabilities in PHP- 
Fusion (possibly just an Arabic-language version), look bogus to me.

ViRuS Qalaa points out a vulnerable line of code (at line 438) in  
'includes/class.phpmailer.php' and offers shows as a proof-of-concept  
a URL that calls that file directly passing in the command through the  
'sendmail' parameter.

I downloaded the script s/he helpfully points to and looked at that  
file. It simply defines a class. There's no way to actually call any  
of the functions in it by calling the script directly. Here's a larger  
snippet of code showing the supposed vulnerability, starting at line  

     function SendmailSend($header, $body) {
       if ($this->Sender != '') {
         $sendmail = sprintf("%s -oi -f %s -t", escapeshellcmd($this- 
 >Sendmail), escapeshellarg($this->Sender));
       } else {
         $sendmail = sprintf("%s -oi -t", escapeshellcmd($this- 

       if(!@$mail = popen($sendmail, 'w')) {
         $this->SetError($this->Lang('execute') . $this->Sendmail);
         return false;

       fputs($mail, $header);
       fputs($mail, $body);

       $result = pclose($mail) >> 8 & 0xFF;

'$this->Sendmail' is hardcoded elsewhere in the file as '/usr/sbin/ 
sendmail'. And while it can be changed by calling 'IsQmail()', that  
too uses a hardcoded value. So even if you could somehow call the  
affected function, I don't see how an attacker could gain control of  
the variable in the function.

Anyone else look into this?

theall at tenablesecurity.com

More information about the VIM mailing list