Innovate faster and cut risk with PHP experts from Zend Services.
Explore Services
See How Zend Helps Leading Hosting Providers Keep Their Managed Sites on Secure PHP
Read More
Learn PHP from PHP experts with free, on-demand, and instructor led courses.
Explore Training
Submit support requests and browse self-service resources.
Explore Support
Command injection via array-ish $command parameter of proc_open even if`bypass_shell option enabled on Windows
Since PHP 7.4.0, proc_open() has allowed specifying a command and its arguments as an array, with one argument per array item. proc_open() also includes an option, bypass_shell, that, on Windows, allows bypassing cmd.exe when processing arguments. This is often used to prevent cmd.exe parsing arguments, which can lead to a certain escape sequences spawning external programs. However, in affected PHP versions, if the script passed to proc_open is a .bat or .cmd script, cmd.exe is still implicitly spawned, leading to the vulnerable behavior.
proc_open()
bypass_shell
cmd.exe
proc_open
.bat
.cmd
If you are not using prop_open(), or you are not using PHP on Windows, no action is necessary. If you are, ensure that any arguments passed to proc_open() are filtered to prevent escape sequences that could result in command execution.
prop_open()
We highly recommend updating to a patched version of PHP immediately.
Direct link to CVE-2024-1874 >
< View all CVEs
