PEAR Security Advisory - Multiple remote arbitrary command injections have been found in the Net_Pingand Net_Traceroute.Net_Ping versions below 2.4.5 and Net_Traceroute versions below 0.21.2 are affected.
1f8e26e5d2a3b7524f9d89fd9fd45aede051f3408d7534eb1f57bbb1ea3b1a36
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
PEAR Security Advisory PSA 20091114-01
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Serious
Title: PEAR Net_Ping and Net_Traceroute Remote
Arbitrary Command Injection
Date: November 14, 2009
ID: 200911-14-01
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple remote arbitrary command injections have been found in the Net_Ping
and Net_Traceroute.
Background
==========
Net_Ping is an OS independent wrapper class for executing ping calls from PHP
Net_Traceroute is an OS independent wrapper class for executing traceroute calls from PHP
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 Net_Ping < 2.4.5 >= 2.4.5
2 Net_Traceroute < 0.21.2 >= 0.21.2
-------------------------------------------------------------------
2 affected packages on all of their supported architectures.
-------------------------------------------------------------------
Description
===========
Remote Arbitrary Command Injection
Impact
======
When input from forms are used directly, the attacker could pass variables that would allow him to execute
remote arbitrary command injections.
Workaround
==========
Filter your input to make sure the commands passed are shell escaped or upgrade to the latest version of both packages.
Resolution
==========
The group recommends users of Net_Ping to upgrade to Net_Ping-2.4.5 if they haven't already:
# https://download.pear.php.net/package/Net_Ping-2.4.5.tgz
# pear upgrade Net_Ping-2.4.5
The group recommends users of Net_Traceroute to upgrade to Net_Traceroute-0.21.2 if they haven't already:
# https://download.pear.php.net/package/Net_Traceroute-0.21.2.tgz
# pear upgrade Net_Traceroute-0.21.2
Reported by
===========
Thanks to Pasquale Imperato for finding, analyzing and reporting the issue.