=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2009/VULN482
_____________________________________________________________________

DATE                      : 25/11/2009

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running PEAR Net_Ping, PEAR Net_Traceroute.

======================================================================
http://pear.php.net/advisory20091114-01.txt
______________________________________________________________________


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
PEAR Security Advisory                                 PSA 20091114-01
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Serious
     Title: PEAR Net_Ping and Net_Traceroute Remote
            Arbitrary Command Injection
      Date: November 14, 2009
        ID: 200911-14-01

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple remote arbitrary command injections have been found in the Net_Ping
and Net_Traceroute.

Background
==========

Net_Ping is an OS independent wrapper class for executing ping calls from PHP

Net_Traceroute is an OS independent wrapper class for executing traceroute calls from PHP

Affected packages
=================

    -------------------------------------------------------------------
     Package                   /  Vulnerable  /             Unaffected
    -------------------------------------------------------------------
  1  Net_Ping                       < 2.4.5                   >= 2.4.5
  2  Net_Traceroute                 < 0.21.2                  >= 0.21.2

    -------------------------------------------------------------------
     2 affected packages on all of their supported architectures.
    -------------------------------------------------------------------

Description
===========

Remote Arbitrary Command Injection

Impact
======

When input from forms are used directly, the attacker could pass variables that would allow him to execute
remote arbitrary command injections.

Workaround
==========

Filter your input to make sure the commands passed are shell escaped or upgrade to the latest version of both packages.

Resolution
==========

The group recommends users of Net_Ping to upgrade to Net_Ping-2.4.5 if they haven't already:
    # http://download.pear.php.net/package/Net_Ping-2.4.5.tgz
    # pear upgrade Net_Ping-2.4.5

The group recommends users of Net_Traceroute to upgrade to Net_Traceroute-0.21.2 if they haven't already:
    # http://download.pear.php.net/package/Net_Traceroute-0.21.2.tgz
    # pear upgrade Net_Traceroute-0.21.2


Reported by
===========

Thanks to Pasquale Imperato for finding, analyzing and reporting the issue.


======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================