CVE-2004-0542
PHP < 4.3.7 - Remote Code Execution via Shell Metacharacter Injection
Title source: manualDescription
PHP before 4.3.7 on Win32 platforms does not properly filter all shell metacharacters, which allows local or remote attackers to execute arbitrary code, overwrite files, and access internal environment variables via (1) the "%", "|", or ">" characters to the escapeshellcmd function, or (2) the "%" character to the escapeshellarg function.
References (3)
Core 3
Core References
Patch, Release Notes, Vendor Advisory x_refsource_confirm
http://www.php.net/release_4_3_7.php
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/16331
Not Applicable x_refsource_misc
http://www.idefense.com/application/poi/display?id=108
Scores
EPSS
0.1160
EPSS Percentile
93.7%
Details
Status
published
Products (1)
php/php
< 4.3.7
Published
Aug 06, 2004
Tracked Since
Feb 18, 2026