Description

This script is possibly vulnerable to Cmd hijack attacks.

Cmd hijack is a command/argument confusion in cmd.exe that allows an attacker to launch arbitrary Windows system executables. The issue appears when an attacker is using path traversal sequences to hijack the original command that should be executed. It only affects Windows systems.

For example, the following command: 

cmd.exe /c "ping 127.0.0.1/../../../../../../../../../../windows/system32/calc.exe"
will launch calc.exe instead of ping.exe.

Remediation

Your script should filter metacharacters from user input. PHP web applications should use escapeshellarg() instead of escapeshellcmd().

References

Cmd Hijack

Related Vulnerabilities

WordPress Plugin EWWW Image Optimizer Remote Code Execution (2.8.3)

WordPress Plugin Jekyll Exporter Remote Code Execution (2.2.0)

WordPress Plugin WooCommerce Possible Remote Code Execution (3.5.0)

WordPress Plugin File Manager Remote Code Execution (4.5)

Magento remote code execution

Severity

High

Classification

CWE-94 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Tags

Code Execution