Информационная безопасность
[RU] switch to English


Дополнительная информация

  Обход фильтрации метасимволов в PHP под Windows (protection bypass)

  [Full-Disclosure] iDEFENSE Security Advisory 06.07.04: PHP Win32 escapeshellcmd()
and escapeshellarg()
Input Validation Vulnerability

From:3APA3A <3APA3A_(at)_security.nnov.ru>
Date:8 июня 2004 г.
Subject:PHP for Windows all version shell filtering bug

Subject:  PHP for Windows all version shell filtering bug
Product:  PHP for Windows all versions (4.3.1, 4.2.3, 3.0.17 tested with
         Windows 2000 SP3 all fixes + IIS)
Vendor:   php.net
Risk:     High (for affected systems)
Remote:   Yes
Author:   3APA3A <[email protected]>

Intro:

PHP  is  scripting  language used by majority of web sites and available
for almost any platform.

PHP  provides few functions for escapiing shell characters from supplied
argument  to  use  in  conjunction with system(), popen(), exec(), etc -
escapeshellcmd() and escapeshellarg().

Problem:

escapeshellcmd()  and escapeshellarg() fail to escape metacharacters for
Windows.

Details:

escapeshellarg()  quotes  argument supplied with single quote (''), both
functions prefixes all known shell characters with '\' character.

This    approach    doesn't   work  for  Windows,  because of at least 2
problems:

1. \ only comments out shell character in double quote ("").

2.  Windows  has  different  set  of shell characters. For example, '%'
character  is  not filtered by escape functions but may be used to call
environment variable and to insert user supplied input, for example via
%QUERY_STRING%.

Impact:

it's  possible  to use special shell characters, <>%|&. It will allow to
read/write file (<>), execute arbitrary programs (|&).

Simple test.php:

<?php

$host1 = "localhost&dir";
$host2 = "localhost&dir *.* "

$arg = escapeshellcmd("ping $host1");
system($arg);
$arg = escapeshellarg($host2);
exec("ping $arg");
?>

Exploitation:

PHP  is  not  exploitable  by  itself.  To exploit vulnerability any PHP
script  with  escapeshellcmd()/escapeshellarg()  is  required on Windows
platform.   Examples  of  vulnerable  PHP  scripts  are  ones  from  PHP
escapeshellcmd()/escapeshellarg() manual.

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород