PHP escapeshellarg Windows Vulnerability

From: Daniel Fabian (d.fabian_at_sec-consult.com)
Date: 06/06/04

  • Next message: Connor, Ethan M. W: "RE: Linksys WRT54G - Advice for european users" 
    To: bugtraq@securityfocus.com
Date: Sun, 6 Jun 2004 13:15:29 +0200

    SEC-CONSULT Security Advisory - PHP: Hypertext Preprocessor

    Vendor: PHP (http://www.php.net)
    Product: PHP 4.3.6 and below (verified in 4.3.5 which was current when
    the bug was discovered)
    Vendor status: vendor contacted (04-04-2004)
    Patch status: Problem fixed in 4.3.7

    ===========
    DESCRIPTION
    ===========

    PHP offers the function escapeshellarg() to escape arguments to shell
    commands in a way that makes it impossible for an attacker to execute
    additional commands. However due to a bug in the function, this does not
    work with the windows version of PHP.

    Vulnerable is for example the following code:

    [code]
    $user = escapeshellarg($_GET['user']);
    $pwd = escapeshellarg($_GET['pwd']);

    system("htpasswd -nb $user $pwd", $return);
    [/code]

    If an attacker enters '" || dir || ' (without the single quotes) for
    user (or pwd), the command dir is executed.

    ===============
    GENERAL REMARKS
    ===============

    - The bug was successfully verified in PHP 4.3.3 and 4.3.5. In former
    version (4.3.3) the execution of additional commands was only possible
    when single quotes were used.

    - While correcting the vulnerability, the PHP staff seems to have
    noticed that the function escapeshellcmd is vulnerable too (according to
    the changelog of v4.3.7).

    ====================
    Recommended Hotfixes
    ====================

    Update PHP to version 4.3.7.

    EOF Daniel Fabian / @2004
    d.fabian at sec-consult dot com

    =======
    Contact
    =======

    SEC CONSULT Unternehmensberatung GmbH

    Büro Wien
    Blindengasse 3
    A-1080 Wien
    Austria

    Tel.: +43 / 1 / 409 0307 - 570
    Fax.: +43 / 1 / 409 0307 - 590
    Mail: office at sec-consult dot com
    http://www.sec-consult.com

  • Next message: Connor, Ethan M. W: "RE: Linksys WRT54G - Advice for european users"

    Relevant Pages

    • Re: php extensions compile error - another compile bug?
      ... Re: php extensions compile error - another compile bug?: ... Is not triviality is a matter of perspective? ... AFFECTS: users of PHP ... and shared extensions to allow more flexibility and add new features. ...
      (freebsd-questions)
    • [Full-Disclosure] PHP escapeshellarg Windows Vulnerability
      ... SEC-CONSULT Security Advisory - PHP: ... Vendor status: vendor contacted ... However due to a bug in the function, this does not work with the windows version of PHP. ...
      (Full-Disclosure)
    • Re: [Full-Disclosure] How secure is PHP ?
      ... > quick look at security focus, searching the vuln db for PHP, nothing more ... Looking at the Official PHP Bug list I am ... The PROGRAMMER is always supposed to validate user supplied ... validate the input it feeds to file system functions it is programmer error. ...
      (Full-Disclosure)
    • Re: Undefined Index notices
      ... I didn't say that it was a bug.. ... These are the first 3 lines of the script that gets posted to.. ... there is nothing but good php there. ... working with a n00b.. ...
      (comp.lang.php)
    • Re: List Fails on some computers - www missing in url
      ... Yes it is - for any domain issued - denying that simple fact allows PHP ... Why is this a security bug, whereas a user being able to erase his ... session cookie at any time and start a new session ISN'T just as ... NS records pointing at the DNS hosting company the domain owner is ...
      (comp.lang.php)
    • Quantcast