Описание
In PHP versions 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell.
A command injection flaw was found in PHP, exclusive to Windows environments. This flaw allows an attacker to perform command injection on Windows applications that indirectly depend on the CreateProcess function in specific conditions. The CreateProcess function implicitly uses cmd.exe when executing batch files, which has complicated parsing rules for arguments that have not fully escaped. It is possible to inject commands if an attacker can control part of the command arguments of the batch file.
Отчет
This vulnerability exclusively applies to applications running on Windows.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | php | Out of support scope | ||
| Red Hat Enterprise Linux 7 | php | Out of support scope | ||
| Red Hat Enterprise Linux 8 | php:7.4/php | Not affected | ||
| Red Hat Enterprise Linux 8 | php:8.0/php | Not affected | ||
| Red Hat Enterprise Linux 8 | php:8.2/php | Not affected | ||
| Red Hat Enterprise Linux 9 | php | Not affected | ||
| Red Hat Enterprise Linux 9 | php:8.1/php | Not affected | ||
| Red Hat Enterprise Linux 9 | php:8.2/php | Not affected |
Показывать по
Дополнительная информация
EPSS
Связанные уязвимости
In PHP versions 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell.
In PHP versions 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell.
In PHP versions 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before ...
Command injection via array-ish $command parameter of proc_open even if bypass_shell option enabled on Windows
EPSS