Command injection via array-ish $command parameter of proc_open even if`bypass_shell option enabled on Windows

Publication Date2024-02-25
SeverityCritical
TypeRemote Code Execution
Affected PHP Versions
  • 7.4.0 - 7.4.33
  • 8.0.0 - 8.0.30
  • 8.1.0 - 8.1.27
  • 8.2.0 - 8.2.17
  • 8.3.0 - 8.3.5
Fixed Product Versions
  • ZendPHP 7.4
  • ZendPHP 8.0
  • ZendPHP 8.1
  • ZendPHP 8.2
  • ZendPHP 8.3
  • ZendServer 2021.3.4

CVE Details

Since PHP 7.4.0, proc_open() has allowed specifying a command and its arguments as an array, with one argument per array item. proc_open() also includes an option, bypass_shell, that, on Windows, allows bypassing cmd.exe when processing arguments. This is often used to prevent cmd.exe parsing arguments, which can lead to a certain escape sequences spawning external programs. However, in affected PHP versions, if the script passed to proc_open is a .bat or .cmd script, cmd.exe is still implicitly spawned, leading to the vulnerable behavior.

Recommendations

If you are not using prop_open(), or you are not using PHP on Windows, no action is necessary. If you are, ensure that any arguments passed to proc_open() are filtered to prevent escape sequences that could result in command execution.

We highly recommend updating to a patched version of PHP immediately.