Users login

Create an account »


Users login

Home » Hacking News » Input validation error in PHP Net Toolpack

Input validation error in PHP Net Toolpack

by Nikola Strahija on March 18th, 2002 Product: PHP Net Toolpack Affected Version: 0.1 and maybe all versions before Immune Version: none OS affected: all OS with php and mysql Vendor-URL: Vendor-Status: informed, no reaction yet Security-Risk: med - high Remote-Exploit: Yes

PHP Net Toolpack is a php interface for finger, traceroute and whois.
Unfortunately the author forgets to check the input for any unwanted
characters and a remote user is able to execute anything he wants with
the rights of the php user.
One more detected minor problem is the use of traceroute without giving
the full path to the executable. Therefore a local user could trick the
script executing a different program.

More details
- ------------
The important code fragement is exec("traceroute $a_query",$ret_strs);
in the function traceroute. As $a_query isn't filtered in any way before
executing traceroute it is possible to execute any command eg. using ";"
as seperator.
For the second impact a local user could write a program called
traceroute and make it executable somewhere in the search path. When the
php-script is looking for a traceroute it can be tricked in executing
the malicious program instead of the real traceroute, when his program
is found before the real one in the search path.

- ----------------
Traceroute to host "; cat /etc/passwd" leads to a
disclosure of the webserver's passwd.

- ---
You can use escapeshellcmd() to check the input for unwanted characters.
The use of full path in the exec statement can prevent local users from
tricking the webserver executing a different program.
So you can replace the bad line in the traceroute function with the
following two lines:

exec("/sbin/traceroute $sec_input",$ret_strs);

- -------------
It seems that PHP Net Toolpack is not been maintaned any longer, because
the last released dated 11.05.2000 and the author has not reacted to our
note. Nevertheless you can find it in many link lists of php script
resources. In all we decide to rate the security risk med - high.

Vendor status
- -------------
We tried to inform the author but got no reaction yet. Maybe the project
is not maintained any longer.

- ----------
All information that can be found in this advisory is believed to be
true, but maybe it isn't. ppp-design can not be held responsible for the
use or missuse of this information. Redistribution of this text is only
permitted if the text has not been altered and the original author
ppp-design ( is mentioned.

This advisory can be found online at:

- --
Fingerprint: 5B02 0AD7 A176 3A4F CE22 745D 0D78 7B60 B3B5 451A
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla -

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.


Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »