- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - PEAR Security Advisory PSA 20091114-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Serious Title: PEAR Net_Ping and Net_Traceroute Remote Arbitrary Command Injection Date: November 14, 2009 ID: 200911-14-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple remote arbitrary command injections have been found in the Net_Ping and Net_Traceroute. Background ========== Net_Ping is an OS independent wrapper class for executing ping calls from PHP Net_Traceroute is an OS independent wrapper class for executing traceroute calls from PHP Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 Net_Ping < 2.4.5 >= 2.4.5 2 Net_Traceroute < 0.21.2 >= 0.21.2 ------------------------------------------------------------------- 2 affected packages on all of their supported architectures. ------------------------------------------------------------------- Description =========== Remote Arbitrary Command Injection Impact ====== When input from forms are used directly, the attacker could pass variables that would allow him to execute remote arbitrary command injections. Workaround ========== Filter your input to make sure the commands passed are shell escaped or upgrade to the latest version of both packages. Resolution ========== The group recommends users of Net_Ping to upgrade to Net_Ping-2.4.5 if they haven't already: # http://download.pear.php.net/package/Net_Ping-2.4.5.tgz # pear upgrade Net_Ping-2.4.5 The group recommends users of Net_Traceroute to upgrade to Net_Traceroute-0.21.2 if they haven't already: # http://download.pear.php.net/package/Net_Traceroute-0.21.2.tgz # pear upgrade Net_Traceroute-0.21.2 Reported by =========== Thanks to Pasquale Imperato for finding, analyzing and reporting the issue.