Any discussion on the pro/cons of allowing php to use the exec funtion is welcome. Why would you want to ban it? What bad could a user do, isn't the code part of the html anyway? How would they modifiy to run a command, etc...
Thanks all,
Jeremy
Printable View
Any discussion on the pro/cons of allowing php to use the exec funtion is welcome. Why would you want to ban it? What bad could a user do, isn't the code part of the html anyway? How would they modifiy to run a command, etc...
Thanks all,
Jeremy
1) upload a ready made exploit to my home directory
2) run it (with exec, passthru, whatever)
3) tada, a shell awaiting for me, instruct it to create an bash with SUID in my home directory
4) the rest is left with your imagination .....