PHP escapeshellarg and escapeshellcmd execute command
| php-escapeshellarg-execute-command (16331) |  High Risk |
Description:
PHP could allow a remote attacker to execute commands. The escapeshellarg and escapeshellcmd functions fail to properly filter shell metacharacters when running on Microsoft Windows operating systems, which could allow a remote attacker execute additional commands on the system.
Platforms Affected:
- PHP, PHP 4.0 RC1
- PHP, PHP 4.0 Beta4
- PHP, PHP 4.0 Beta3
- PHP, PHP 4.0 Beta2
- PHP, PHP 4.0 Beta1
- PHP, PHP 4.0 RC2
- PHP, PHP 4.0 Beta 4 Patch1
- PHP, PHP 4.0.0
- PHP, PHP 4.0.1
- PHP, PHP 4.0.2
- PHP, PHP 4.0.3
- PHP, PHP 4.0.4
- PHP, PHP 4.0.5
- PHP, PHP 4.0.6
- PHP, PHP 4.0.7
- PHP, PHP 4.1.0
- PHP, PHP 4.1.1
- PHP, PHP 4.1.2
- PHP, PHP 4.1.3
- PHP, PHP 4.2.0
- PHP, PHP 4.2.1
- PHP, PHP 4.2.2
- PHP, PHP 4.2.3
- PHP, PHP 4.2.4
- PHP, PHP 4.3.0
- PHP, PHP 4.3.1
- PHP, PHP 4.3.2
- PHP, PHP 4.3.3
- PHP, PHP 4.3.4
- PHP, PHP 4.3.5
- PHP, PHP 4.3.6
Remedy:
Upgrade to the latest version of PHP (4.3.7 or later), available from the PHP Web site. See References.
Consequences:
Gain Access
References:
- Full-Disclosure Mailing List, Sun Jun 06 2004 - 06:25:30 CDT, PHP escapeshellarg Windows Vulnerability at http://archives.neohapsis.com/archives/fulldisclosure/2004-06/0100.html.
- iDEFENSE Security Advisory 06.07.04, PHP Win32 escapeshellcmd() and escapeshellarg() Input Validation Vulnerability at http://www.idefense.com/application/poi/display?id=108&type=vulnerabilities.
- PHP Web site, php_value|flag / php_admin_* settings "leak" from vhosts/.htaccess files at http://bugs.php.net/bug.php?id=25753http://www.php.net/ChangeLog-4.php#4.3.7.
- BID-10471: PHP Microsoft Windows Shell Escape Functions Command Execution Vulnerability
- CVE-2004-0542: PHP before 4.3.7 on Win32 platforms does not properly filter all shell metacharacters, which allows local or remote attackers to execute arbitrary code, overwrite files, and access internal environment variables via (1) the %, |, or > characters to the escapeshellcmd function, or (2) the % character to the escapeshellarg function.
Reported:
Jun 06, 2004
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net