PHP escapeshellarg() and escapeshellcmd() Parsing Flaws May Let Remote Users Execute Arbitrary Commands
SecurityTracker Alert ID: 1010410|
SecurityTracker URL: http://securitytracker.com/id/1010410
(Links to External Site)
Updated: Jun 10 2004|
Original Entry Date: Jun 7 2004
Execution of arbitrary code via network, User access via network|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): 4.3.6 and prior versions|
An input validation vulnerability was reported in PHP in the escapeshellarg() and escapeshellcmd() functions. A remote user may be able to bypass the escape function to execute arbitrary commands. Windows-based systems are affected.|
Daniel Fabian reported that on Windows platforms, the escapeshellarg() function contains a flaw. A remote user may be able to supply specially crafted input to execute commands on the target system. The specific impact depends on the script that implements the vulnerable function.
The report indicates that the escapeshellcmd() is also affected.
The vendor was reportedly notified on April 4, 2004.
The vendor has confirmed this vulnerability in an announcement, available at:
A remote user may be able to execute arbitrary commands via a script that implements the vulnerable function.|
The vendor has released a fixed version (4.3.7), available at:|
Vendor URL: www.php.net/ (Links to External Site)
Input validation error|
|Underlying OS: Windows (Any)|
|Underlying OS Comments: Only Windows systems are affected.|
Source Message Contents
Subject: [Full-Disclosure] PHP escapeshellarg Windows Vulnerability|
SEC-CONSULT Security Advisory - PHP: Hypertext Preprocessor
Vendor: PHP (http://www.php.net)
Product: PHP 4.3.6 and below (verified in 4.3.5 which was current when the bug was discovered)
Vendor status: vendor contacted (04-04-2004)
Patch status: Problem fixed in 4.3.7
PHP offers the function escapeshellarg() to escape arguments to shell commands in a way that makes it impossible for an attacker to
execute additional commands. However due to a bug in the function, this does not work with the windows version of PHP.
Vulnerable is for example the following code:
$user = escapeshellarg($_GET['user']);
$pwd = escapeshellarg($_GET['pwd']);
system("htpasswd -nb $user $pwd", $return);
If an attacker enters '" || dir || ' (without the single quotes) for user (or pwd), the command dir is executed.
- The bug was successfully verified in PHP 4.3.3 and 4.3.5. In former version (4.3.3) the execution of additional commands was only
possible when single quotes were used.
- While correcting the vulnerability, the PHP staff seems to have noticed that the function escapeshellcmd is vulnerable too (according
to the changelog of v4.3.7).
Update PHP to version 4.3.7.
EOF Daniel Fabian / @2004
d.fabian at sec-consult dot com
SEC CONSULT Unternehmensberatung GmbH
Tel.: +43 / 1 / 409 0307 - 570
Fax.: +43 / 1 / 409 0307 - 590
Mail: office at sec-consult dot com
Full-Disclosure - We believe in it.