[Full-Disclosure] PHP escapeshellarg Windows Vulnerability

["Daniel Fabian" <list@xxxxxxxxxxx>]

SEC-CONSULT Security Advisory - PHP: Hypertext Preprocessor

Vendor: PHP (http://www.php.net)
Product: PHP 4.3.6 and below (verified in 4.3.5 which was current when the bug 
was discovered)
Vendor status: vendor contacted (04-04-2004)
Patch status: Problem fixed in 4.3.7


===========
DESCRIPTION
===========

PHP offers the function escapeshellarg() to escape arguments to shell commands 
in a way that makes it impossible for an attacker to execute additional 
commands. However due to a bug in the function, this does not work with the 
windows version of PHP.

Vulnerable is for example the following code:

[code]
$user = escapeshellarg($_GET['user']);
$pwd = escapeshellarg($_GET['pwd']);

system("htpasswd -nb $user $pwd", $return);
[/code]

If an attacker enters '" || dir || ' (without the single quotes) for user (or 
pwd), the command dir is executed.


===============
GENERAL REMARKS
===============

- The bug was successfully verified in PHP 4.3.3 and 4.3.5. In former version 
(4.3.3) the execution of additional commands was only possible when single 
quotes were used.

- While correcting the vulnerability, the PHP staff seems to have noticed that 
the function escapeshellcmd is vulnerable too (according to the changelog of 
v4.3.7).

====================
Recommended Hotfixes
====================

Update PHP to version 4.3.7.


EOF Daniel Fabian / @2004
d.fabian at sec-consult dot com

=======
Contact
=======

SEC CONSULT Unternehmensberatung GmbH

Büro Wien
Blindengasse 3
A-1080 Wien
Austria

Tel.: +43 / 1 / 409 0307 - 570
Fax.: +43 / 1 / 409 0307 - 590
Mail: office at sec-consult dot com
http://www.sec-consult.com
 
             

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html