PHP escapeshellarg Windows Vulnerability

[06.06.2004] PHP escapeshellarg Windows Vulnerability

SEC-CONSULT Security Advisory - PHP: Hypertext Preprocessor

Vendor: PHP (

Product: PHP 4.3.6 and below (verified in 4.3.5 which was current when the bug was discovered)

Vendor status: vendor contacted (04-04-2004)

Patch status: Problem fixed in 4.3.7



PHP offers the function escapeshellarg() to escape arguments to shell commands in a way that makes it impossible for an attacker to execute additional commands. However due to a bug in the function, this does not work with the windows version of PHP.

Vulnerable is for example the following code:

$user = escapeshellarg($_GET['user']);
$pwd = escapeshellarg($_GET['pwd']);

system("htpasswd -nb $user $pwd", $return);

If an attacker enters '" || dir || ' (without the single quotes) for user (or pwd), the command dir is executed.


General Remarks

* The bug was successfully verified in PHP 4.3.3 and 4.3.5. In former version (4.3.3) the execution of additional commands was only possible when single quotes were used.

* While correcting the vulnerability, the PHP staff seems to have noticed that the function escapeshellcmd is vulnerable too (according to the changelog of v4.3.7).

Recommended Hotfixes

Update PHP to version 4.3.7.


EOF Daniel Fabian / @2004

d.fabian at sec-consult dot com