Computer Security
[EN] no-pyccku

Related information

  PHP for Windows shell characters filtration protection bypass

  [Full-Disclosure] iDEFENSE Security Advisory 06.07.04: PHP Win32 escapeshellcmd()
and escapeshellarg()
Input Validation Vulnerability

From:3APA3A <3APA3A_(at)>
Subject:PHP for Windows all version shell filtering bug

Subject:  PHP for Windows all version shell filtering bug
Product:  PHP for Windows all versions (4.3.1, 4.2.3, 3.0.17 tested with
         Windows 2000 SP3 all fixes + IIS)
Risk:     High (for affected systems)
Remote:   Yes
Author:   3APA3A <[email protected]>


PHP  is  scripting  language used by majority of web sites and available
for almost any platform.

PHP  provides few functions for escapiing shell characters from supplied
argument  to  use  in  conjunction with system(), popen(), exec(), etc -
escapeshellcmd() and escapeshellarg().


escapeshellcmd()  and escapeshellarg() fail to escape metacharacters for


escapeshellarg()  quotes  argument supplied with single quote (''), both
functions prefixes all known shell characters with '\' character.

This    approach    doesn't   work  for  Windows,  because of at least 2

1. \ only comments out shell character in double quote ("").

2.  Windows  has  different  set  of shell characters. For example, '%'
character  is  not filtered by escape functions but may be used to call
environment variable and to insert user supplied input, for example via


it's  possible  to use special shell characters, <>%|&. It will allow to
read/write file (<>), execute arbitrary programs (|&).

Simple test.php:


$host1 = "localhost&dir";
$host2 = "localhost&dir *.* "

$arg = escapeshellcmd("ping $host1");
$arg = escapeshellarg($host2);
exec("ping $arg");


PHP  is  not  exploitable  by  itself.  To exploit vulnerability any PHP
script  with  escapeshellcmd()/escapeshellarg()  is  required on Windows
platform.   Examples  of  vulnerable  PHP  scripts  are  ones  from  PHP
escapeshellcmd()/escapeshellarg() manual.

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod