
Exploit/bypass PHP escapeshellarg/escapeshellcmd functions - josephscott
https://security.szurek.pl/exploit-bypass-php-escapeshellarg-escapeshellcmd.html
======
chug
The title on this seems pretty misleading.

This is really a guide on how to use the escapeshellarg when you should use
escapeshellcmd (or the opposite). Of course, the API of system() is pretty
awful, so there _is_ an issue here in the form of "wow, PHP makes this really
easy to mess up," but there's no actual exploit in either function mentioned.
Just exploits in code people write using them. I guess the LANG one is
arguably an actual exploit though, though that gets into arguing semantics.

Edit: there's also an example that is missing quotes around an argument.
Again, something very easy to mess up, but that's what you get when you have a
function that is basically like typing a line into the shell.

~~~
akrasuski1
Actually, the mentioned GitList exploit hinges on yet another vulnerability:
lack of distinction of command-line flags and arguments. Where user expected
to put "normal" name (say a-zA-Z0-9), attacker actually supplied
--flag=exploit.

------
meritt
I'm confused how a list of clever ways to get executables to initiate other
executables is somehow an "exploit" of a programming language offering a
system(3) call?

How about we just don't run system calls, especially none that contain any
amount of user input.

------
labster
Ah yes, "PHP "security"". Yes, untrusted user input going to the shell is a
bad idea, even when "sanitized".

Of course, unlike other saner languages, bypassing the shell isn't always an
option. When running under Apache, pcntl_exec() isn't available, so you just
gotta hope rely on escapeshellarg(), addbackslashes(), and prayer.

~~~
chatmasta
You should be running your application code in some sort of sandbox anyway, to
minimize the data available to an attacker in the event of privilege
escalation.

