Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
gentooGentoo FoundationGLSA-200911-06
HistoryNov 26, 2009 - 12:00 a.m.

PEAR Net_Traceroute: Command injection

2009-11-2600:00:00
Gentoo Foundation
security.gentoo.org
9

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.011 Low

EPSS

Percentile

84.7%

JSON

Background

PEAR Net_Traceroute is an OS independent wrapper class for executing traceroute calls from PHP.

Description

Pasquale Imperato reported that the $host parameter to the traceroute() function in Traceroute.php is not properly sanitized before being passed to exec().

Impact

A remote attacker could exploit this vulnerability when user input is passed directly to PEAR Net_Traceroute in a PHP script, possibly resulting in the remote execution of arbitrary shell commands with the privileges of the user running the affected PHP script.

Workaround

Ensure that all data that is passed to the traceroute() function is properly shell escaped (for instance using the escapeshellcmd() function).

Resolution

All PEAR Net_Traceroute users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=dev-php/PEAR-Net_Traceroute-0.21.2"
OSVersionArchitecturePackageVersionFilename
Gentooanyalldev-php/pear-net_traceroute< 0.21.2UNKNOWN

Related

nessus 5
securityvulns 2
cve 1
openvas 4
fedora 3
prion 1
freebsd 1
nessus
nessus
Fedora 12 : php-pear-Net-Traceroute-0.21.2-1.fc12 (2009-11551)
2009-11-30 00:00:00
Fedora 10 : php-pear-Net-Traceroute-0.21.2-1.fc10 (2009-12083)
2009-11-30 00:00:00
Fedora 11 : php-pear-Net-Traceroute-0.21.2-1.fc11 (2009-11617)
2009-11-30 00:00:00
securityvulns
securityvulns
PHP multiple security vulnerabilities
2009-12-01 00:00:00
[ GLSA 200911-06 ] PEAR Net_Traceroute: Command injection
2009-12-01 00:00:00
cve
cve
CVE-2009-4025
2009-11-29 13:07:00
openvas
openvas
Gentoo Security Advisory GLSA 200911-06 (PEAR-Net_Traceroute)
2009-12-03 00:00:00
Gentoo Security Advisory GLSA 200911-06 (PEAR-Net_Traceroute)
2009-12-03 00:00:00
FreeBSD Ports: pear-Net_Ping
2010-01-07 00:00:00
fedora
fedora
[SECURITY] Fedora 12 Update: php-pear-Net-Traceroute-0.21.2-1.fc12
2009-11-25 15:25:36
[SECURITY] Fedora 11 Update: php-pear-Net-Traceroute-0.21.2-1.fc11
2009-11-25 15:05:12
[SECURITY] Fedora 10 Update: php-pear-Net-Traceroute-0.21.2-1.fc10
2009-11-25 15:06:06
prion
prion
Design/Logic Flaw
2009-11-29 13:07:00
freebsd
freebsd
PEAR -- Net_Ping and Net_Traceroute remote arbitrary command injection
2009-11-14 00:00:00

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.011 Low

EPSS

Percentile

84.7%

JSON
Related for GLSA-200911-06
nessus5securityvulns2cve1openvas4fedora3prion1freebsd1