{
  "entrypoint_kind": "function_call",
  "entrypoint_detail": "Horde_Vfs_Smb public methods (createFolder, deleteFile, writeData, rename, readFile, deleteFolder, isFolder, listFolder) -> _command() -> _execute() -> proc_open()",
  "service_started": false,
  "healthcheck_passed": false,
  "target_path_reached": true,
  "runtime_stack": ["php", "horde-vfs", "Horde_Vfs_Smb", "smbclient"],
  "proof_artifacts": [
    "bundle/logs/vuln_variant/variant_run.log",
    "bundle/logs/vuln_variant/createFolder_vulnerable.log",
    "bundle/logs/vuln_variant/createFolder_fixed.log",
    "bundle/logs/vuln_variant/deleteFile_vulnerable.log",
    "bundle/logs/vuln_variant/deleteFile_fixed.log",
    "bundle/logs/vuln_variant/writeData_vulnerable.log",
    "bundle/logs/vuln_variant/writeData_fixed.log",
    "bundle/logs/vuln_variant/rename_vulnerable.log",
    "bundle/logs/vuln_variant/rename_fixed.log",
    "bundle/logs/vuln_variant/readFile_vulnerable.log",
    "bundle/logs/vuln_variant/readFile_fixed.log",
    "bundle/logs/vuln_variant/deleteFolder_vulnerable.log",
    "bundle/logs/vuln_variant/deleteFolder_fixed.log",
    "bundle/logs/vuln_variant/isFolder_vulnerable.log",
    "bundle/logs/vuln_variant/isFolder_fixed.log",
    "bundle/logs/vuln_variant/listFolderPath_vulnerable.log",
    "bundle/logs/vuln_variant/listFolderPath_fixed.log",
    "bundle/vuln_variant/artifacts/fake_smbclient.sh",
    "bundle/vuln_variant/artifacts/harness.php",
    "bundle/vuln_variant/reproduction_steps.sh"
  ],
  "notes": "Command substitution payloads fired on every tested vulnerable path but were blocked by the v3.0.1 fix, which uses an argv array for proc_open()."
}
