CVE-2002-0471

An attacker sends a crafted HTTP request to the PHPNetToolpack application, supplying shell metacharacters (such as `;`) in the `a_query` parameter [ref_id=1]. Because the input is not filtered before being passed to `exec()`, the attacker can inject arbitrary shell commands after the intended `traceroute` command [ref_id=1]. For example, providing a host value like `www.example.com; cat /etc/passwd` causes the server to execute both the traceroute and the injected command, disclosing sensitive files [ref_id=1]. No authentication is required, and the attack is performed remotely over HTTP [ref_id=1].

The vulnerable code is the `exec("traceroute $a_query",$ret_strs);` call inside the `traceroute` function of PHPNetToolpack 0.1 [ref_id=1]. The `$a_query` variable is passed directly to the shell without any sanitization or filtering [ref_id=1].

The advisory recommends two changes to remediate the vulnerability [ref_id=1]. First, the input should be sanitized using PHP's `escapeshellcmd()` function to escape shell metacharacters before use. Second, the full path to the `traceroute` binary (e.g., `/sbin/traceroute`) should be specified in the `exec()` call to prevent path-based hijacking [ref_id=1]. No official patch has been released by the vendor, as the project appears unmaintained [ref_id=1].

1. Identify a PHPNetToolpack 0.1 instance that exposes the traceroute function. 2. Send an HTTP request with the `a_query` parameter set to a payload containing shell metacharacters, e.g., `www.example.com; cat /etc/passwd`. 3. Observe that the output includes the contents of `/etc/passwd` in addition to the traceroute results, confirming arbitrary command execution [ref_id=1].