PHP escapeshellarg() and escapeshellcmd() Parsing Flaws May Let Remote Users Execute Arbitrary Commands
|
|
SecurityTracker Alert ID: 1010410
|
|
SecurityTracker URL: http://securitytracker.com/id?1010410
|
|
CVE Reference: CAN-2004-0542
(Links to External Site)
|
Updated: Jun 10 2004
|
Original Entry Date: Jun 7 2004
|
Impact: Execution of arbitrary code via network, User access via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): 4.3.6 and prior versions
|
Description: An input validation vulnerability was reported in PHP in the escapeshellarg() and escapeshellcmd() functions. A remote user may be able to bypass the escape function to execute arbitrary commands. Windows-based systems are affected.
Daniel Fabian reported that on Windows platforms, the escapeshellarg() function contains a flaw. A remote user may be able to supply
specially crafted input to execute commands on the target system. The specific impact depends on the script that implements the
vulnerable function.
The report indicates that the escapeshellcmd() is also affected.
The vendor was reportedly notified on
April 4, 2004.
The vendor has confirmed this vulnerability in an announcement, available at:
http://www.php.net/release_4_3_7.php
|
Impact: A remote user may be able to execute arbitrary commands via a script that implements the vulnerable function.
|
Solution: The vendor has released a fixed version (4.3.7), available at:
http://www.php.net/downloads.php
|
Vendor URL: www.php.net/ (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Windows (Any)
|
Underlying OS Comments: Only Windows systems are affected.
|
Reported By: "Daniel Fabian" <list@fabiand.net>
|
Message History:
None.
|
Source Message Contents
|
Date: Sun, 6 Jun 2004 13:25:30 +0200
From: "Daniel Fabian" <list@fabiand.net>
Subject: [Full-Disclosure] PHP escapeshellarg Windows Vulnerability
|
SEC-CONSULT Security Advisory - PHP: Hypertext Preprocessor
Vendor: PHP (http://www.php.net)
Product: PHP 4.3.6 and below (verified in 4.3.5 which was current when the bug was discovered)
Vendor status: vendor contacted (04-04-2004)
Patch status: Problem fixed in 4.3.7
===========
DESCRIPTION
===========
PHP offers the function escapeshellarg() to escape arguments to shell commands in a way that makes it
impossible for an attacker to
execute additional commands. However due to a bug in the function, this does not work with the windo
ws version of PHP.
Vulnerable is for example the following code:
[code]
$user = escapeshellarg($_GET['user']);
$pwd = escapeshellarg($_GET['pwd']);
system("htpasswd -nb $user $pwd", $return);
[/code]
If an attacker enters '" || dir || ' (without the single quotes) for user (or pwd), the command
dir is executed.
===============
GENERAL REMARKS
===============
- The bug was successfully verified in PHP 4.3.3 and 4.3.5. In former version (4.3.3) the execution o
f additional commands was only
possible when single quotes were used.
- While correcting the vulnerability, the PHP staff seems to have noticed that the function escapeshe
llcmd is vulnerable too (according
to the changelog of v4.3.7).
====================
Recommended Hotfixes
====================
Update PHP to version 4.3.7.
EOF Daniel Fabian / @2004
d.fabian at sec-consult dot com
=======
Contact
=======
SEC CONSULT Unternehmensberatung GmbH
Büro Wien
Blindengasse 3
A-1080 Wien
Austria
Tel.: +43 / 1 / 409 0307 - 570
Fax.: +43 / 1 / 409 0307 - 590
Mail: office at sec-consult dot com
http://www.sec-consult.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
|
|
