[06.06.2004] PHP escapeshellarg Windows Vulnerability
SEC-CONSULT Security Advisory - PHP: Hypertext Preprocessor
Vendor: PHP (http://www.php.net)
Product: PHP 4.3.6 and below (verified in 4.3.5 which was current when the bug was discovered)
Vendor status: vendor contacted (04-04-2004)
Patch status: Problem fixed in 4.3.7
PHP offers the function escapeshellarg() to escape arguments to shell commands in a way that makes it impossible for an attacker to execute additional commands. However due to a bug in the function, this does not work with the windows version of PHP.
Vulnerable is for example the following code:
$user = escapeshellarg($_GET['user']);
$pwd = escapeshellarg($_GET['pwd']);
system("htpasswd -nb $user $pwd", $return);
If an attacker enters '" || dir || ' (without the single quotes) for user (or pwd), the command dir is executed.
* The bug was successfully verified in PHP 4.3.3 and 4.3.5. In former version (4.3.3) the execution of additional commands was only possible when single quotes were used.
* While correcting the vulnerability, the PHP staff seems to have noticed that the function escapeshellcmd is vulnerable too (according to the changelog of v4.3.7).
Update PHP to version 4.3.7.
EOF Daniel Fabian / @2004
d.fabian at sec-consult dot com