From idlabs-advisories@idefense.com Mon Jun 7 17:08:38 2004 From: idlabs-advisories@idefense.com To: idlabs-advisories@idefense.com Date: Mon, 7 Jun 2004 15:19:29 -0400 Reply-To: customerservice@idefense.com Subject: [Full-Disclosure] iDEFENSE Security Advisory 06.07.04: PHP Win32 escapeshellcmd() and escapeshellarg() Input Validation Vulnerability PHP Win32 escapeshellcmd() and escapeshellarg() Input Validation Vulnerability iDEFENSE Security Advisory 06.07.04: www.idefense.com/application/poi/display?id=108&type=vulnerabilities June 7, 2004 I. BACKGROUND PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML. More information is available at http://www.php.net. II. DESCRIPTION Remote exploitation of an input validation vulnerability in The PHP Group's HTML-embedded scripting language PHP allows attackers to bypass security protections. The problem specifically exists within the shell command escape routines escapeshellcmd() and escapeshellarg(). These routines are intended for escaping shell metacharacters that may be present in user-supplied data prior to passing them to command execution routines such as system(), passthru(), popen(), exec() or the backtick operator. While both filter routines are functional on the Unix platform, they fail to filter all characters on the Windows platform. The escapeshellcmd() routine fails to filter the characters '%|>', allowing attackers to access environment variables, redirect output and execute arbitrary commands. The escapeshellarg() routine fails to filter the character '%', allowing an attacker to access environment variables. III. ANALYSIS Exploitation allows attackers to compromise an affected system under the web server's privileges. Systems are not vulnerable by default, as a publicly accessible script must be present that utilizes one of the affected routines with user-supplied data. IV. DETECTION iDEFENSE has confirmed the existence of this vulnerability in PHP version 4.3.6 running on Microsoft Windows platforms. It is suspected that previous versions are also vulnerable. V. WORKAROUND Pass user-supplied data through custom character filters implemented with str_replace() or preg_replace(). Example: $user_supplied = preg_replace("/[>|%]/", "", $user_supplied); VI. VENDOR RESPONSE The input validation vulnerability inside escapeshellcmd() and escapeshellarg() on Win32 platform has been resolved. A new PHP version (4.3.7) immune to this vulnerability is due to be released on June 3rd, 2004. VII. CVE INFORMATION A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been assigned yet. VIII. DISCLOSURE TIMELINE 04/05/03 Vulnerability acquired by iDEFENSE 05/07/04 iDEFENSE clients notified 05/07/04 Initial vendor notification 05/17/04 Initial vendor response 06/07/04 Public disclosure IX. CREDIT 3APA3A is credited with this discovery. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp X. LEGAL NOTICES Copyright (c) 2004 iDEFENSE, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDEFENSE. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html