From: admin at digibase dot ca Operating system: Linux PHP version: 5.2.1RC2 PHP Bug Type: Scripting Engine problem Bug description: Security issue with backtick
Description: ------------ Whenever I attempt to escape any code, backticks still execute without a problem - whenever I execute it from the CLI (Where I want it to execute from), it accepts injection no matter WHAT I do It seems as if there's only one way to disable this, which is enable safe mode, however, that presents problems, it disables functions I want enabled and causes problems on the webserver attached. Reproduce code: --------------- $text = escapeshellarg(escapeshellcmd(strtolower($text))); Expected result: ---------------- Filter out and prevent injection of arbitary code while sending the clean text on for processing in an if/elseif/else tree Actual result: -------------- When run like php ./script status && `rm` rm actually decides to run. not under privledges but it can cause damage -- Edit bug report at http://bugs.php.net/?id=40030&edit=1 -- Try a CVS snapshot (PHP 4.4): http://bugs.php.net/fix.php?id=40030&r=trysnapshot44 Try a CVS snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=40030&r=trysnapshot52 Try a CVS snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=40030&r=trysnapshot60 Fixed in CVS: http://bugs.php.net/fix.php?id=40030&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=40030&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=40030&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=40030&r=needscript Try newer version: http://bugs.php.net/fix.php?id=40030&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=40030&r=support Expected behavior: http://bugs.php.net/fix.php?id=40030&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=40030&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=40030&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=40030&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=40030&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=40030&r=dst IIS Stability: http://bugs.php.net/fix.php?id=40030&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=40030&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=40030&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=40030&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=40030&r=mysqlcfg