Net_Traceroute and Net_Ping security advisory

PEAR Security Advisory (PSA 200911-14-01)

Severity: Serious
Title: PEAR Net_Ping and Net_Traceroute Remote Arbitrary Command Injection
Date: November 14, 2009
ID: 200911-14-01

Synopsis

Multiple remote arbitrary command injections have been found in the Net_Ping
and Net_Traceroute.

Background

Net_Ping is an OS independent wrapper class for executing ping calls from PHP

Net_Traceroute is an OS independent wrapper class for executing traceroute calls from PHP

Affected packages

———————————————————————————————
Package                   /  Vulnerable  /             Unaffected
———————————————————————————————
1  Net_Ping                   < 2.4.5                   >= 2.4.5
2  Net_Traceroute       < 0.21.2                  >= 0.21.2

———————————————————————————————
2 affected packages on all of their supported architectures.
———————————————————————————————

Description

Remote Arbitrary Command Injection

Impact

When input from forms are used directly, the attacker could pass variables that would allow him to execute remote arbitrary command injections.

Workaround

Filter your input to make sure the commands passed are shell escaped or upgrade to the latest version of both packages.

Resolution

The group recommends users of Net_Ping to upgrade to Net_Ping-2.4.5 if they haven’t already:

The group recommends users of Net_Traceroute to upgrade to Net_Traceroute-0.21.2 if they haven’t already:

Reported By

Thanks to Pasquale Imperato for finding, analyzing and reporting the issue.

Link

http://pear.php.net/advisory20091114-01.txt

About david

Member of the PEAR Group, PEAR Board of decisions, strong Open Source Business Model fighter
This entry was posted in Announcements, Blogroll, Group Blog, President Blog. Bookmark the permalink.