CVE-2002-0470

A local attacker can place a malicious program named `traceroute` earlier in the system's PATH than the real traceroute binary. When the PHP script executes `exec("traceroute $a_query",$ret_strs)` without specifying a full path, the operating system resolves the command to the attacker's Trojan horse instead of the legitimate `/sbin/traceroute` [ref_id=1]. The attacker does not need to exploit the remote command injection vector; the PATH-based hijacking works independently whenever the script is invoked.

The vulnerability is in the `traceroute` function of PHPNetToolpack 0.1. The code fragment `exec("traceroute $a_query",$ret_strs)` uses the user-supplied `$a_query` variable without any filtering and calls `traceroute` without a full path [ref_id=1].

The advisory recommends replacing the bare `exec("traceroute $a_query",$ret_strs)` with two lines: first sanitize the input via `escapeshellcmd($a_query)`, then call `exec("/sbin/traceroute $sec_input",$ret_strs)` using the full path `/sbin/traceroute` [ref_id=1]. Using the full path prevents the operating system from searching the user-controlled PATH, so a Trojan horse placed earlier in the search path will never be selected. No official patch has been published because the vendor did not respond and the project appears unmaintained [ref_id=1].