Home / vulnerabilitiesPDF  

advisory20091114-01.txt

Posted on 24 November 2009
Source : packetstormsecurity.org Link

 

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
PEAR Security Advisory PSA 20091114-01
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Serious
Title: PEAR Net_Ping and Net_Traceroute Remote
Arbitrary Command Injection
Date: November 14, 2009
ID: 200911-14-01

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple remote arbitrary command injections have been found in the Net_Ping
and Net_Traceroute.

Background
==========

Net_Ping is an OS independent wrapper class for executing ping calls from PHP

Net_Traceroute is an OS independent wrapper class for executing traceroute calls from PHP

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 Net_Ping < 2.4.5 >= 2.4.5
2 Net_Traceroute < 0.21.2 >= 0.21.2

-------------------------------------------------------------------
2 affected packages on all of their supported architectures.
-------------------------------------------------------------------

Description
===========

Remote Arbitrary Command Injection

Impact
======

When input from forms are used directly, the attacker could pass variables that would allow him to execute
remote arbitrary command injections.

Workaround
==========

Filter your input to make sure the commands passed are shell escaped or upgrade to the latest version of both packages.

Resolution
==========

The group recommends users of Net_Ping to upgrade to Net_Ping-2.4.5 if they haven't already:
# http://download.pear.php.net/package/Net_Ping-2.4.5.tgz
# pear upgrade Net_Ping-2.4.5

The group recommends users of Net_Traceroute to upgrade to Net_Traceroute-0.21.2 if they haven't already:
# http://download.pear.php.net/package/Net_Traceroute-0.21.2.tgz
# pear upgrade Net_Traceroute-0.21.2


Reported by
===========

Thanks to Pasquale Imperato for finding, analyzing and reporting the issue.


 

TOP

Malware :

Exploits :