Net_Traceroute and Net_Ping security advisory

PEAR Security Advisory (PSA 200911-14-01)

Severity: Serious
Title: PEAR Net_Ping and Net_Traceroute Remote Arbitrary Command Injection
Date: November 14, 2009
ID: 200911-14-01


Multiple remote arbitrary command injections have been found in the Net_Ping
and Net_Traceroute.


Net_Ping is an OS independent wrapper class for executing ping calls from PHP

Net_Traceroute is an OS independent wrapper class for executing traceroute calls from PHP

Affected packages

Package                   /  Vulnerable  /             Unaffected
1  Net_Ping                   < 2.4.5                   >= 2.4.5
2  Net_Traceroute       < 0.21.2                  >= 0.21.2

2 affected packages on all of their supported architectures.


Remote Arbitrary Command Injection


When input from forms are used directly, the attacker could pass variables that would allow him to execute remote arbitrary command injections.


Filter your input to make sure the commands passed are shell escaped or upgrade to the latest version of both packages.


The group recommends users of Net_Ping to upgrade to Net_Ping-2.4.5 if they haven’t already:

The group recommends users of Net_Traceroute to upgrade to Net_Traceroute-0.21.2 if they haven’t already:

Reported By

Thanks to Pasquale Imperato for finding, analyzing and reporting the issue.


About david

Member of the PEAR Group, PEAR Board of decisions, strong Open Source Business Model fighter
This entry was posted in Announcements, Blogroll, Group Blog, President Blog. Bookmark the permalink.