Описание
bypass CVE-2024-1874
Summary
same as CVE-2024-1874
due to the improper handling of command line arguments on Windows, maliciously crafted arguments can inject arbitrary commands even if the bypass_shell option is enabled.
Details
Add a space at the end of filename, others are the same as CVE-2024-1874
PoC
- Save the following file as test.bat
- Save the following file as 1.php, notiece the space at the end of argv-filename
- Run it with PHP and confirm that notepad.exe is popped up.
Impact
Malicious command line arguments in windows platform
Пакеты
8.3.6
8.1.29, 8.2.20, 8.3.8
Связанные уязвимости
In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, the fix for CVE-2024-1874 does not work if the command name includes trailing spaces. Original issue: when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell.
In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, the fix for CVE-2024-1874 does not work if the command name includes trailing spaces. Original issue: when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell.
In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, the fix for CVE-2024-1874 does not work if the command name includes trailing spaces. Original issue: when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell.
In PHP versions8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before ...