Description

This script is possibly vulnerable to Cmd hijack attacks.

Cmd hijack is a command/argument confusion in cmd.exe that allows an attacker to launch arbitrary Windows system executables. The issue appears when an attacker is using path traversal sequences to hijack the original command that should be executed. It only affects Windows systems.

For example, the following command: 

cmd.exe /c "ping 127.0.0.1/../../../../../../../../../../windows/system32/calc.exe"
will launch calc.exe instead of ping.exe.

Remediation

Your script should filter metacharacters from user input. PHP web applications should use escapeshellarg() instead of escapeshellcmd().

References

Cmd Hijack

Related Vulnerabilities

Telerik Web UI RadAsyncUpload Deserialization

Fortinet Out-Of-Bound Memory Write RCE (CVE-2024-21762)

Unauthenticated OGNL injection in Confluence Server and Data Center (CVE-2023-22527)

WordPress Plugin Fast Secure Contact Form Remote Code Execution (4.0.44)

WordPress Plugin ProfileGrid-User Profiles, Groups and Communities Remote Code Execution (2.8.5)

Severity

High

Classification

CWE-94 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Tags

Code Execution