Vulnerability & Exploit Database

Back to search

php imap_open Remote Code Execution

The imap_open function within php, if called without the /norsh flag, will attempt to preauthenticate an IMAP session. On Debian based systems, including Ubuntu, rsh is mapped to the ssh binary. Ssh's ProxyCommand option can be passed from imap_open to execute arbitrary commands. While many custom applications may use imap_open, this exploit works against the following applications: e107 v2, prestashop, SuiteCRM, as well as Custom, which simply prints the exploit strings for use. Prestashop exploitation requires the admin URI, and administrator credentials. suiteCRM/e107 require administrator credentials. Fixed in php 5.6.39.

Free Metasploit Download

Get your copy of the world's leading penetration testing tool

 Download Now

Module Name



  • Anton Lopanitsyn
  • Twoster
  • h00die
  • Paolo Serracino
  • Pietro Minniti
  • Damiano Proietti



  • prestashop
  • suitecrm
  • e107v2
  • Horde IMP H3
  • custom


  • unix


  • cmd



Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/linux/http/php_imap_open_rce msf exploit(php_imap_open_rce) > show targets ...targets... msf exploit(php_imap_open_rce) > set TARGET <target-id> msf exploit(php_imap_open_rce) > show options and set options... msf exploit(php_imap_open_rce) > exploit

Related Vulnerabilities