Description: Remote Arbitrary Command Injection Impact: When input from forms are used directly, the attacker could pass variables that would allow him to execute remote arbitrary command injections. Workaround: Filter your input to make sure the commands passed are shell escaped or upgrade to the latest version of both packages. Resolution: The group recommends users of Net_Ping to upgrade to Net_Ping-2.4.5. SVN commit: http://svn.php.net/viewvc/pear/packages/Net_Ping/trunk/Ping.php?r1=274728&r2=290669
2.4.5 in CVS
not stable → noglsa. Thanks.
CVE-2009-4024 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4024): Argument injection in the ping function in Ping.php in the Net_Ping package before 2.4.5 for PEAR allows remote attackers to execute arbitrary shell commands via the host parameter.