phpEscape.txt

`SEC-CONSULT Security Advisory - PHP: Hypertext Preprocessor  
  
Vendor: PHP (http://www.php.net)  
Product: PHP 4.3.6 and below (verified in 4.3.5 which was current when  
the bug was discovered)  
Vendor status: vendor contacted (04-04-2004)  
Patch status: Problem fixed in 4.3.7  
  
===========  
DESCRIPTION  
===========  
  
PHP offers the function escapeshellarg() to escape arguments to shell  
commands in a way that makes it impossible for an attacker to execute  
additional commands. However due to a bug in the function, this does not  
work with the windows version of PHP.  
  
Vulnerable is for example the following code:  
  
[code]  
$user = escapeshellarg($_GET['user']);  
$pwd = escapeshellarg($_GET['pwd']);  
  
system("htpasswd -nb $user $pwd", $return);  
[/code]  
  
If an attacker enters '" || dir || ' (without the single quotes) for  
user (or pwd), the command dir is executed.  
  
===============  
GENERAL REMARKS  
===============  
  
- The bug was successfully verified in PHP 4.3.3 and 4.3.5. In former  
version (4.3.3) the execution of additional commands was only possible  
when single quotes were used.  
  
- While correcting the vulnerability, the PHP staff seems to have  
noticed that the function escapeshellcmd is vulnerable too (according to  
the changelog of v4.3.7).  
  
====================  
Recommended Hotfixes  
====================  
  
Update PHP to version 4.3.7.  
  
EOF Daniel Fabian / @2004  
d.fabian at sec-consult dot com  
  
=======  
Contact  
=======  
  
SEC CONSULT Unternehmensberatung GmbH  
  
Büro Wien  
Blindengasse 3  
A-1080 Wien  
Austria  
  
Tel.: +43 / 1 / 409 0307 - 570  
Fax.: +43 / 1 / 409 0307 - 590  
Mail: office at sec-consult dot com  
http://www.sec-consult.com  
`