From: [EMAIL PROTECTED]
Operating system: Win2k
PHP version: 4.1.1
PHP Bug Type: Unknown/Other Function
Bug description: escapeshellarg does not escape characters for win32
Windows NT 5.0 build 2195
Microsoft-IIS/5.0
php version 4.1.1 (the binary zip package for win32)
php is running cgi-mode (php.exe)
example script:
$arg = "junk && start cmd junk";
$arg = escapeshellarg($arg);
system("anycommand $arg",$output);
This starts a command shell running as the web server process. This could
be used as an exploit if the contents of $arg come from a form.
This also works with system(escapeshellcmd("anycommand $arg"));
As a suggestion, you might want to create a command to "removeshellchars"
instead of just quoting them.
--
Edit bug report at http://bugs.php.net/?id=15818&edit=1
--
Fixed in CVS: http://bugs.php.net/fix.php?id=15818&r=fixedcvs
Fixed in release: http://bugs.php.net/fix.php?id=15818&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=15818&r=needtrace
Try newer version: http://bugs.php.net/fix.php?id=15818&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=15818&r=support
Expected behavior: http://bugs.php.net/fix.php?id=15818&r=notwrong
Not enough info: http://bugs.php.net/fix.php?id=15818&r=notenoughinfo
Submitted twice: http://bugs.php.net/fix.php?id=15818&r=submittedtwice
