PEAR Net_Traceroute: Command injection

1. Gentoo Linux Security Advisory

Advisory Reference	GLSA 200911-06 / PEAR-Net_Traceroute
Release Date	November 26, 2009
Latest Revision	November 26, 2009: 01
Impact	high
Exploitable	remote

Package	Vulnerable versions	Unaffected versions	Architecture(s)
dev-php/PEAR-Net_Traceroute	< 0.21.2	>= 0.21.2	All supported architectures

Related bugreports: #294264

Synopsis

An input sanitation error in PEAR Net_Traceroute might allow remote attackers to execute arbitrary commands.

2. Impact Information

Background

PEAR Net_Traceroute is an OS independent wrapper class for executing traceroute calls from PHP.

Description

Pasquale Imperato reported that the $host parameter to the traceroute() function in Traceroute.php is not properly sanitized before being passed to exec().

Impact

A remote attacker could exploit this vulnerability when user input is passed directly to PEAR Net_Traceroute in a PHP script, possibly resulting in the remote execution of arbitrary shell commands with the privileges of the user running the affected PHP script.

3. Resolution Information

Workaround

Ensure that all data that is passed to the traceroute() function is properly shell escaped (for instance using the escapeshellcmd() function).

Resolution

All PEAR Net_Traceroute users should upgrade to the latest version:

Code Listing 3.1: Resolution

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-php/PEAR-Net_Traceroute-0.21.2"

4. References

CVE-2009-4025

Page updated November 26, 2009

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.