Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Generic)  >   PHP Vendors:   PHP Group
PHP escapeshellarg() and escapeshellcmd() Parsing Flaws May Let Remote Users Execute Arbitrary Commands
SecurityTracker Alert ID:  1010410
SecurityTracker URL:
CVE Reference:   CVE-2004-0542   (Links to External Site)
Updated:  Jun 10 2004
Original Entry Date:  Jun 7 2004
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 4.3.6 and prior versions
Description:   An input validation vulnerability was reported in PHP in the escapeshellarg() and escapeshellcmd() functions. A remote user may be able to bypass the escape function to execute arbitrary commands. Windows-based systems are affected.

Daniel Fabian reported that on Windows platforms, the escapeshellarg() function contains a flaw. A remote user may be able to supply specially crafted input to execute commands on the target system. The specific impact depends on the script that implements the vulnerable function.

The report indicates that the escapeshellcmd() is also affected.

The vendor was reportedly notified on April 4, 2004.

The vendor has confirmed this vulnerability in an announcement, available at:

Impact:   A remote user may be able to execute arbitrary commands via a script that implements the vulnerable function.
Solution:   The vendor has released a fixed version (4.3.7), available at:

Vendor URL: (Links to External Site)
Cause:   Input validation error
Underlying OS:  Windows (Any)
Underlying OS Comments:  Only Windows systems are affected.

Message History:   None.

 Source Message Contents

Subject:  [Full-Disclosure] PHP escapeshellarg Windows Vulnerability

SEC-CONSULT Security Advisory - PHP: Hypertext Preprocessor

Vendor: PHP (
Product: PHP 4.3.6 and below (verified in 4.3.5 which was current when the bug was discovered)
Vendor status: vendor contacted (04-04-2004)
Patch status: Problem fixed in 4.3.7


PHP offers the function escapeshellarg() to escape arguments to shell commands in a way that makes it impossible for an attacker to
 execute additional commands. However due to a bug in the function, this does not work with the windows version of PHP.

Vulnerable is for example the following code:

$user = escapeshellarg($_GET['user']);
$pwd = escapeshellarg($_GET['pwd']);

system("htpasswd -nb $user $pwd", $return);

If an attacker enters '" || dir || ' (without the single quotes) for user (or pwd), the command dir is executed.


- The bug was successfully verified in PHP 4.3.3 and 4.3.5. In former version (4.3.3) the execution of additional commands was only
 possible when single quotes were used.

- While correcting the vulnerability, the PHP staff seems to have noticed that the function escapeshellcmd is vulnerable too (according
 to the changelog of v4.3.7).

Recommended Hotfixes

Update PHP to version 4.3.7.

EOF Daniel Fabian / @2004
d.fabian at sec-consult dot com


SEC CONSULT Unternehmensberatung GmbH

Blindengasse 3
A-1080 Wien

Tel.: +43 / 1 / 409 0307 - 570
Fax.: +43 / 1 / 409 0307 - 590
Mail: office at sec-consult dot com

Full-Disclosure - We believe in it.


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, LLC