Public Vulnerability Reports

PHP Win32 escapeshellcmd() and escapeshellarg() Input Validation Vulnerability

06.07.04

BACKGROUND

PHP is a widely-used general-purpose scripting language that is
especially suited for Web development and can be embedded into HTML.
More information is available at http://www.php.net.

DESCRIPTION

Remote exploitation of an input validation vulnerability in The PHP
Group's HTML-embedded scripting language PHP allows attackers to bypass
security protections.

The problem specifically exists within the shell command escape routines
escapeshellcmd() and escapeshellarg(). These routines are intended for
escaping shell metacharacters that may be present in user-supplied data
prior to passing them to command execution routines such as system(),
passthru(), popen(), exec() or the backtick operator. While both filter
routines are functional on the Unix platform, they fail to filter all
characters on the Windows platform. The escapeshellcmd() routine fails
to filter the characters '%|>', allowing attackers to access environment
variables, redirect output and execute arbitrary commands. The
escapeshellarg() routine fails to filter the character '%', allowing an
attacker to access environment variables.

ANALYSIS

Exploitation allows attackers to compromise an affected system under the
web server's privileges. Systems are not vulnerable by default, as a
publicly accessible script must be present that utilizes one of the
affected routines with user-supplied data.

DETECTION

iDEFENSE has confirmed the existence of this vulnerability in PHP
version 4.3.6 running on Microsoft Windows platforms. It is suspected
that previous versions are also vulnerable.

WORKAROUND

Pass user-supplied data through custom character filters implemented
with str_replace() or preg_replace(). Example:

    $user_supplied = preg_replace("/[>|%]/", "", $user_supplied);

VENDOR RESPONSE

The input validation vulnerability inside escapeshellcmd() and
escapeshellarg() on Win32 platform has been resolved. A new PHP version
(4.3.7) immune to this vulnerability is due to be released on June 3rd,
2004.

CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2004-0542 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

DISCLOSURE TIMELINE

04/05/2003    Vulnerability acquired by iDEFENSE
05/07/2004    iDEFENSE clients notified
05/07/2004    Initial vendor notification
05/17/2004    Initial vendor response
05/17/2004    Public disclosure

CREDIT

3APA3A is credited with this discovery.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

LEGAL NOTICES

Copyright © 2004 Verisign, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.