On 2017-05-09, Andrew C Aitchison <andrew@???> wrote:
> On Tue, 9 May 2017, admin@??? wrote:
>
>> https://bugs.exim.org/show_bug.cgi?id=2118
>>
>> Jasen Betts <jasen@???> changed:
>>
>> What |Removed |Added
>> ----------------------------------------------------------------------------
>> CC| |jasen@???
>>
>> --- Comment #7 from Jasen Betts <jasen@???> ---
>> It looks to me like a "shell injection" flaw in wordpress.
>
> Yes, but exim provides a language for the hacker to
> modify the command after wordpress has sanitised it :-(
Argument 5 of php's mail() is mangled by escapshellcommand() and
there's no clear documentation on how to separate arguments in input to
escapshellcommand()
Yet another failed attempt at security from php.net
If they'd left mail()'s 5th argument unescaped escapeshellarg() could be
invoked by the programmer as needed and security would be simple. but
the PHP philisophy has always been to first ignore security and then to try
to force security on the programmer (see "magic quotes" for an example
of this)
Given that PHP is wrong-headed and can't be fixed, and wordpress isn't going
away or leaving PHP I reluctantly admint that dropping exim features when
called sendmail seems like the least evil.
--
This email has not been checked by half-arsed antivirus software