[Full-Disclosure] iDEFENSE Security Advisory 06.07.04: PHP Win32 escapeshellcmd() and escapeshellarg() Input Validation Vulnerability
idlabs-advisories at idefense.com
idlabs-advisories at idefense.com
Mon Jun 7 20:19:29 BST 2004
PHP Win32 escapeshellcmd() and escapeshellarg() Input Validation
iDEFENSE Security Advisory 06.07.04:
June 7, 2004
PHP is a widely-used general-purpose scripting language that is
especially suited for Web development and can be embedded into HTML.
More information is available at http://www.php.net.
Remote exploitation of an input validation vulnerability in The PHP
Group's HTML-embedded scripting language PHP allows attackers to bypass
The problem specifically exists within the shell command escape routines
escapeshellcmd() and escapeshellarg(). These routines are intended for
escaping shell metacharacters that may be present in user-supplied data
prior to passing them to command execution routines such as system(),
passthru(), popen(), exec() or the backtick operator. While both filter
routines are functional on the Unix platform, they fail to filter all
characters on the Windows platform. The escapeshellcmd() routine fails
to filter the characters '%|>', allowing attackers to access environment
variables, redirect output and execute arbitrary commands. The
escapeshellarg() routine fails to filter the character '%', allowing an
attacker to access environment variables.
Exploitation allows attackers to compromise an affected system under the
web server's privileges. Systems are not vulnerable by default, as a
publicly accessible script must be present that utilizes one of the
affected routines with user-supplied data.
iDEFENSE has confirmed the existence of this vulnerability in PHP
version 4.3.6 running on Microsoft Windows platforms. It is suspected
that previous versions are also vulnerable.
Pass user-supplied data through custom character filters implemented
with str_replace() or preg_replace(). Example:
$user_supplied = preg_replace("/[>|%]/", "", $user_supplied);
VI. VENDOR RESPONSE
The input validation vulnerability inside escapeshellcmd() and
escapeshellarg() on Win32 platform has been resolved. A new PHP version
(4.3.7) immune to this vulnerability is due to be released on June 3rd,
VII. CVE INFORMATION
A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not
been assigned yet.
VIII. DISCLOSURE TIMELINE
04/05/03 Vulnerability acquired by iDEFENSE
05/07/04 iDEFENSE clients notified
05/07/04 Initial vendor notification
05/17/04 Initial vendor response
06/07/04 Public disclosure
3APA3A is credited with this discovery.
Get paid for vulnerability research
X. LEGAL NOTICES
Copyright (c) 2004 iDEFENSE, Inc.
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice at idefense.com for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
Full-Disclosure is hosted and sponsored by Secunia.