PEAR Security Advisory (PSA 200911-14-01)
Severity: Serious
Title: PEAR Net_Ping and Net_Traceroute Remote Arbitrary Command Injection
Date: November 14, 2009
ID: 200911-14-01
Synopsis
Multiple remote arbitrary command injections have been found in the Net_Ping
and Net_Traceroute.
Background
Net_Ping is an OS independent wrapper class for executing ping calls from PHP
Net_Traceroute is an OS independent wrapper class for executing traceroute calls from PHP
Affected packages
———————————————————————————————
Package / Vulnerable / Unaffected
———————————————————————————————
1 Net_Ping < 2.4.5 >= 2.4.5
2 Net_Traceroute < 0.21.2 >= 0.21.2
———————————————————————————————
2 affected packages on all of their supported architectures.
———————————————————————————————
Description
Remote Arbitrary Command Injection
Impact
When input from forms are used directly, the attacker could pass variables that would allow him to execute remote arbitrary command injections.
Workaround
Filter your input to make sure the commands passed are shell escaped or upgrade to the latest version of both packages.
Resolution
The group recommends users of Net_Ping to upgrade to Net_Ping-2.4.5 if they haven’t already:
- http://download.pear.php.net/package/Net_Ping-2.4.5.tgz
- pear upgrade Net_Ping-2.4.5
The group recommends users of Net_Traceroute to upgrade to Net_Traceroute-0.21.2 if they haven’t already:
- http://download.pear.php.net/package/Net_Traceroute-0.21.2.tgz
- pear upgrade Net_Traceroute-0.21.2
Reported By
Thanks to Pasquale Imperato for finding, analyzing and reporting the issue.
Pingback: Two security fixes for PEAR’s Net_Ping and Net_Traceroute packages « Ken Guest’s online diary
Pingback: PEAR Blog: Net_Traceroute and Net_Ping security advisory | Development Blog With Code Updates : Developercast.com
Pingback: PEAR Blog: Net_Traceroute and Net_Ping security advisory | Webs Developer
Pingback: PEAR Blog » Blog Archive » Net_Traceroute and Net_Ping security … | Coder Online