Find the answer to your Linux question:
Results 1 to 4 of 4
so I was bored and wanted to create a small web interface for a few tasks. currently, I'm using POST to get arguments and then PHP's exec() to run a ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Aug 2008
    Location
    Seattle, WA
    Posts
    46

    PHP exec security


    so I was bored and wanted to create a small web interface for a few tasks. currently, I'm using POST to get arguments and then PHP's exec() to run a small shell script.

    the scripts are all in password-protected directories, so I'm not terribly worried about them actually being abused, but I'm curious as to the best way to protect against command injection.

    here's an example:

    php
    Code:
    $cmd = "/$somepath/passwd.sh ".$username." ".$password." ".$new_password;
    exec($cmd, $output, $return);
    shell
    Code:
    passwd $1 <<EOF
    $2
    $3
    $3
    EOF
    if I feed it the arguments 'someuser;' 'ls' and '/', it will actually do an 'ls' and return the output. I havent found any other commands that return output, but invalid input definitely boggles the shellscript's return code, which the PHP script uses for error handling. is there a way to deal with this kind of attack? is there a less kludgy way of solving this problem?

    thanks,
    -rb

  2. #2
    Linux Engineer RobinVossen's Avatar
    Join Date
    Aug 2007
    Location
    The Netherlands
    Posts
    1,429
    This is REALLY insecure code indeed.
    As people can execute anything.
    Its better to not use exec at all but if you really do want to use it FILTER everything.
    New Users, please read this..
    Google first, then ask..

  3. #3
    Just Joined!
    Join Date
    Aug 2008
    Location
    Seattle, WA
    Posts
    46
    oh yes. I'm aware of how terrifyingly insecure it is.

    any thoughts on a less insane way of doing it?

  4. $spacer_open
    $spacer_close
  5. #4
    Linux Engineer RobinVossen's Avatar
    Join Date
    Aug 2007
    Location
    The Netherlands
    Posts
    1,429
    Translate the .sh to php.
    New Users, please read this..
    Google first, then ask..

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •