Subject: PHP for Windows all version shell filtering bug
Product: PHP for Windows all versions (4.3.1, 4.2.3, 3.0.17 tested with
Windows 2000 SP3 all fixes + IIS)
Risk: High (for affected systems)
Author: 3APA3A <[email protected]>
PHP is scripting language used by majority of web sites and available
for almost any platform.
PHP provides few functions for escapiing shell characters from supplied
argument to use in conjunction with system(), popen(), exec(), etc -
escapeshellcmd() and escapeshellarg().
escapeshellcmd() and escapeshellarg() fail to escape metacharacters for
escapeshellarg() quotes argument supplied with single quote (''), both
functions prefixes all known shell characters with '\' character.
This approach doesn't work for Windows, because of at least 2
1. \ only comments out shell character in double quote ("").
2. Windows has different set of shell characters. For example, '%'
character is not filtered by escape functions but may be used to call
environment variable and to insert user supplied input, for example via
it's possible to use special shell characters, <>%|&. It will allow to
read/write file (<>), execute arbitrary programs (|&).
$host1 = "localhost&dir";
$host2 = "localhost&dir *.* "
$arg = escapeshellcmd("ping $host1");
$arg = escapeshellarg($host2);
PHP is not exploitable by itself. To exploit vulnerability any PHP
script with escapeshellcmd()/escapeshellarg() is required on Windows
platform. Examples of vulnerable PHP scripts are ones from PHP