PEAR Security Advisory (PSA 200911-14-01)
Title: PEAR Net_Ping and Net_Traceroute Remote Arbitrary Command Injection
Date: November 14, 2009
Net_Ping is an OS independent wrapper class for executing ping calls from PHP
Net_Traceroute is an OS independent wrapper class for executing traceroute calls from PHP
Package / Vulnerable / Unaffected
1 Net_Ping < 2.4.5 >= 2.4.5
2 Net_Traceroute < 0.21.2 >= 0.21.2
2 affected packages on all of their supported architectures.
Remote Arbitrary Command Injection
When input from forms are used directly, the attacker could pass variables that would allow him to execute remote arbitrary command injections.
Filter your input to make sure the commands passed are shell escaped or upgrade to the latest version of both packages.
The group recommends users of Net_Ping to upgrade to Net_Ping-2.4.5 if they haven’t already:
- pear upgrade Net_Ping-2.4.5
The group recommends users of Net_Traceroute to upgrade to Net_Traceroute-0.21.2 if they haven’t already:
- pear upgrade Net_Traceroute-0.21.2
Thanks to Pasquale Imperato for finding, analyzing and reporting the issue.