Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

phpping.txt

🗓️ 30 Dec 2003 00:00:00Reported by ppp-designType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 25 Views

php-ping has a high security risk due to command execution vulnerabilities in unfiltered inputs.

Code
`ppp-design found the following design error in php-ping:  
  
  
Details  
-------  
Product: php-ping  
Affected Version: (no version information included in the script)  
Immune Version: latest version  
OS affected: all OS with php  
Vendor-URL: http://www.theworldsend.net/  
Vendor-Status: informed, new version avaiable  
Security-Risk: high - very high  
Remote-Exploit: Yes  
  
  
Introduction  
------------  
php-ping is a simple php script executing the ping command.  
Unfortunately a bug allows users to execute arbritary commands.  
  
  
More details  
------------  
The problem is based upon the fact that not all user inputs are filtered  
correctly. Although $host ist filtered using preg_replace the $count  
variable is parsed unfiltered to the system() command.  
  
  
Proof-of-concept  
----------------  
You can use one of the following proof of concepts:  
  
http://www.example.com/php-ping.php?count=1+%26+ls%20-l+%26&submit=Ping%21  
http://www.example.com/php-ping.php?count=1+%26+cat%20/etc/passwd+%26&submit=Ping%21  
  
  
Temporary-Fix  
-------------  
Replace  
If ($count > $max_count)  
with  
If ($count > $max_count || !is_numeric($count))  
  
  
Fix  
---  
Use latest version.  
  
  
Security-Risk  
-------------  
Because an attacker is able to execute any php command, he is able to  
read all files including .htaccess or .htpasswd files or any password  
protected pages. Depending on system security he might be able to run  
any shell command on the server. That is why we are rating this security  
issue to high - very high.  
  
  
Vendor status  
-------------  
Unfortunately the [email protected] address mentioned on the  
website and in the script was bouncing. But with help of whois we were  
able to find a valid email address to contact the author. On day later,  
the bug was fixed without any notice.  
  
  
Disclaimer  
----------  
All information that can be found in this advisory is believed to be  
true, but maybe it isn't. ppp-design can not be held responsible for the  
use or missuse of this information. Redistribution of this text is only  
permitted if the text has not been altered and the original author  
ppp-design (http://www.ppp-design.de) is mentioned.  
  
  
This advisory can be found online at:  
http://www.ppp-design.de/advisories_show.php?adv=php-ping__executing_arbitrary_commands.txt  
  
  
  
--   
ppp-design  
http://www.ppp-design.de  
Public-Key: http://www.ppp-design.de/pgp/ppp-design.asc  
Fingerprint: 5B02 0AD7 A176 3A4F CE22 745D 0D78 7B60 B3B5 451A  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
30 Dec 2003 00:00Current
7.4High risk
Vulners AI Score7.4
php-pingsecurity riskcommand executionunfiltered inputsremote exploitimmune versionproof of concepttemporary fix.
25