[NT] PHP Win32 escapeshellcmd() and escapeshellarg() Input Validation Vulnerability
From: SecuriTeam (support_at_securiteam.com)
Date: 06/08/04
- Previous message: SecuriTeam: "[NEWS] Oracle E-Business Suite - Multiple SQL Injection Vulnerabilities"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 8 Jun 2004 10:08:49 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
PHP Win32 escapeshellcmd() and escapeshellarg() Input Validation
Vulnerability
------------------------------------------------------------------------
SUMMARY
<http://www.php.net> PHP is "a widely-used general-purpose scripting
language that is especially suited for Web development and can be embedded
into HTML". Remote exploitation of an input validation vulnerability in
The PHP Group's HTML-embedded scripting language PHP allows attackers to
bypass security protections.
DETAILS
Vulnerable Systems:
* PHP version 4.3.6
Immune Systems:
* PHP version 4.3.7
The problem specifically exists within the shell command escape routines
escapeshellcmd() and escapeshellarg(). These routines are intended for
escaping shell metacharacters that may be present in user-supplied data
prior to passing them to command execution routines such as system(),
passthru(), popen(), exec() or the backtick operator. While both filter
routines are functional on the Unix platform, they fail to filter all
characters on the Windows platform. The escapeshellcmd() routine fails to
filter the characters '%|>', allowing attackers to access environment
variables, redirect output and execute arbitrary commands. The
escapeshellarg() routine fails to filter the character '%', allowing an
attacker to access environment variables.
Analysis:
Exploitation allows attackers to compromise an affected system under the
web server's privileges. Systems are not vulnerable by default, as a
publicly accessible script must be present that utilizes one of the
affected routines with user-supplied data.
Workaround:
Pass user-supplied data through custom character filters implemented with
str_replace() or preg_replace(). Example:
$user_supplied = preg_replace("/[>|%]/", "", $user_supplied);
Vendor response:
The input validation vulnerability inside escapeshellcmd() and
escapeshellarg() on Win32 platform has been resolved. A new PHP version
(4.3.7) immune to this vulnerability is due to be released on June 3rd,
2004.
Disclosure timeline:
04/05/03 Vulnerability acquired by iDEFENSE
05/07/04 iDEFENSE clients notified
05/07/04 Initial vendor notification
05/17/04 Initial vendor response
05/17/04 Public disclosure
ADDITIONAL INFORMATION
The information has been provided by
<mailto:idlabs-advisories@idefense.com> iDEFENSE. The vulnerability was
discovered by: 3APA3A.
The original article can be found at:
<http://www.idefense.com/application/poi/display?id=108&type=vulnerabilities> http://www.idefense.com/application/poi/display?id=108&type=vulnerabilities
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NEWS] Oracle E-Business Suite - Multiple SQL Injection Vulnerabilities"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
