SEC-CONSULT Security Advisory - PHP: Hypertext Preprocessor Vendor: PHP (http://www.php.net) Product: PHP 4.3.6 and below (verified in 4.3.5 which was current when the bug was discovered) Vendor status: vendor contacted (04-04-2004) Patch status: Problem fixed in 4.3.7 =========== DESCRIPTION =========== PHP offers the function escapeshellarg() to escape arguments to shell commands in a way that makes it impossible for an attacker to execute additional commands. However due to a bug in the function, this does not work with the windows version of PHP. Vulnerable is for example the following code: [code] $user = escapeshellarg($_GET['user']); $pwd = escapeshellarg($_GET['pwd']); system("htpasswd -nb $user $pwd", $return); [/code] If an attacker enters '" || dir || ' (without the single quotes) for user (or pwd), the command dir is executed. =============== GENERAL REMARKS =============== - The bug was successfully verified in PHP 4.3.3 and 4.3.5. In former version (4.3.3) the execution of additional commands was only possible when single quotes were used. - While correcting the vulnerability, the PHP staff seems to have noticed that the function escapeshellcmd is vulnerable too (according to the changelog of v4.3.7). ==================== Recommended Hotfixes ==================== Update PHP to version 4.3.7. EOF Daniel Fabian / @2004 d.fabian at sec-consult dot com ======= Contact ======= SEC CONSULT Unternehmensberatung GmbH Büro Wien Blindengasse 3 A-1080 Wien Austria Tel.: +43 / 1 / 409 0307 - 570 Fax.: +43 / 1 / 409 0307 - 590 Mail: office at sec-consult dot com http://www.sec-consult.com