SecurityvulnsSECURITYVULNS:DOC:6305PHP for Windows all version shell filtering bug
Subject: PHP for Windows all version shell filtering bug
Product: PHP for Windows all versions (4.3.1, 4.2.3, 3.0.17 tested with
Windows 2000 SP3 all fixes + IIS)
Vendor: php.net
Risk: High (for affected systems)
Remote: Yes
Author: 3APA3A <[email protected]>
Intro:
PHP is scripting language used by majority of web sites and available
for almost any platform.
PHP provides few functions for escapiing shell characters from supplied
argument to use in conjunction with system(), popen(), exec(), etc -
escapeshellcmd() and escapeshellarg().
Problem:
escapeshellcmd() and escapeshellarg() fail to escape metacharacters for
Windows.
Details:
escapeshellarg() quotes argument supplied with single quote (''), both
functions prefixes all known shell characters with '\' character.
This approach doesn't work for Windows, because of at least 2
problems:
-
\ only comments out shell character in double quote ("").
-
Windows has different set of shell characters. For example, '%'
character is not filtered by escape functions but may be used to call
environment variable and to insert user supplied input, for example via
%QUERY_STRING%.
Impact:
it's possible to use special shell characters, <>%|&. It will allow to
read/write file (<>), execute arbitrary programs (|&).
Simple test.php:
<?php
$host1 = "localhost&dir";
$host2 = "localhost&dir . "
$arg = escapeshellcmd("ping $host1");
system($arg);
$arg = escapeshellarg($host2);
exec("ping $arg");
?>
Exploitation:
PHP is not exploitable by itself. To exploit vulnerability any PHP
script with escapeshellcmd()/escapeshellarg() is required on Windows
platform. Examples of vulnerable PHP scripts are ones from PHP
escapeshellcmd()/escapeshellarg() manual.