oss-sec mailing list archives
Re: CVE request: Argument injections in multiple PEAR packages
From: Raphael Geissert <geissert () debian org>
Date: Fri, 11 Dec 2009 12:20:13 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alex Legler wrote: [...]
2. PEAR-Net_Ping < 2.4.5 ping() Argument Injection via $host Upstream writes: "When input from forms are used directly, the attacker could pass variables that would allow him to execute remote arbitrary command injections."
[...]
3. PEAR-Net_Traceroute < 0.21.2 traceroute() Argument Injection via $host See above, same advisory.
The fix applied by upstream in both cases is incomplete as it only prevents the command execution vulnerability, but doesn't address the argument injection vulnerability. The appropriate fix in both cases is to use escapeshellarg instead of escapeshellcmd. Please assign new ids for the incomplete fixes. Thanks in advance. Regards, - -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAksijWIACgkQYy49rUbZzlpnqgCfcHEHuhEA68P2uLr/UvAs1mnS teEAn3zmAW+a8iYFn7bjsobk9w+BXy+P =Bshr -----END PGP SIGNATURE-----
Current thread:
- CVE request: Argument injections in multiple PEAR packages Alex Legler (Nov 23)
- Re: CVE request: Argument injections in multiple PEAR packages Josh Bressers (Nov 24)
- Re: CVE request: Argument injections in multiple PEAR packages Steven M. Christey (Nov 28)
- Re: CVE request: Argument injections in multiple PEAR packages Raphael Geissert (Dec 11)
- Re: CVE request: Argument injections in multiple PEAR packages Josh Bressers (Nov 24)