PEAR Blog

PEAR Security Advisory (PSA 200911-14-01)

Severity: Serious
Title: PEAR Net_Ping and Net_Traceroute Remote Arbitrary Command Injection
Date: November 14, 2009
ID: 200911-14-01

Synopsis

Multiple remote arbitrary command injections have been found in the Net_Ping
and Net_Traceroute.

Background

Net_Ping is an OS independent wrapper class for executing ping calls from PHP

Net_Traceroute is an OS independent wrapper class for executing traceroute calls from PHP

Affected packages

———————————————————————————————
Package                   /  Vulnerable  /             Unaffected
———————————————————————————————
1  Net_Ping                   < 2.4.5                   >= 2.4.5
2  Net_Traceroute       < 0.21.2                  >= 0.21.2

———————————————————————————————
2 affected packages on all of their supported architectures.
———————————————————————————————

Description

Remote Arbitrary Command Injection

Impact

When input from forms are used directly, the attacker could pass variables that would allow him to execute remote arbitrary command injections.

Workaround

Filter your input to make sure the commands passed are shell escaped or upgrade to the latest version of both packages.

Resolution

The group recommends users of Net_Ping to upgrade to Net_Ping-2.4.5 if they haven’t already:

• http://download.pear.php.net/package/Net_Ping-2.4.5.tgz
• pear upgrade Net_Ping-2.4.5

The group recommends users of Net_Traceroute to upgrade to Net_Traceroute-0.21.2 if they haven’t already:

• http://download.pear.php.net/package/Net_Traceroute-0.21.2.tgz
• pear upgrade Net_Traceroute-0.21.2

Reported By

Thanks to Pasquale Imperato for finding, analyzing and reporting the issue.

Link

http://pear.php.net/advisory20091114-01.txt

This entry was posted on Saturday, November 14th, 2009 at 04:39 and is filed under Announcements, Blogroll, Group Blog, President Blog. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.