|
|
|||
| Rule General Information |
|---|
| Release Date: | 2019-07-05 | |
| Rule Name: | PHP Win32 escapeshellcmd() Input Validation Command Execution Vulnerability (CVE-2004-0542) | |
| Severity: | ||
| CVE ID: | ||
| Rule Protection Details |
|---|
| Description: | PHP before 4.3.7 on Win32 platforms does not properly filter all shell metacharacters, which allows local or remote attackers to execute arbitrary code, overwrite files, and access internal environment variables via (1) the "%%", "|", or ">" characters to the escapeshellcmd function, or (2) the "%%" character to the escapeshellarg function. | |
| Impact: | An attacker can execute arbitrary command via a successful exploit in the context of the vulnerable software. | |
| Affected OS: | Windows | |
| Reference: | http://www.idefense.com/application/poi/display?id=108 http://www.php.net/release_4_3_7.php https://exchange.xforce.ibmcloud.com/vulnerabilities/16331 |
|
| Solutions |
|---|
| Refer to the announcement or patch by the vendor: http://www.php.net/release_4_3_7.php |