Results 1 to 6 of 6
  1. #1
    Join Date
    Jan 2002
    Location
    Luebeck/Germany
    Posts
    34

    php exec security problems?

    Hi,

    one of my customers is using a V-Server. Now their technician has turned off the use of exec in PHP because they told us there have been code injection in the apache server. They did not give more explanation yet so I try to find out if this is possible and how we will be able to use exec because it's needed in one of the PHP scripts to call an external C-program. The exec call is always hard coded in the script, so I don't see a problem with the PHP script.

    Is there anything I'm missing here? Is there a vulnerability in apache if exec is turned on in PHP? And if yes, is there a patch that can fix it? The customer is the only user of this V-Server and they are not renting webspace, so there is no danger of other users taking advantage of security leaks.

    Marian
    http://www.rent-a-tutor.com Software on the Web

  2. #2
    Join Date
    Jan 2002
    Location
    Luebeck/Germany
    Posts
    34
    nobody can help?
    http://www.rent-a-tutor.com Software on the Web

  3. #3
    Join Date
    Feb 2003
    Location
    Philadelphia
    Posts
    105
    The exec() function allows you to call a command line program from within a PHP script. In itself there is nothing wrong with that, but poorly written PHP code can allow an attacker to exploit the use of exec() to gain access or cause trouble on the system.

    For example:

    1) exec('ping google.com');
    2) exec('ping ' . $_GET['domain']);
    3) exec('ping ' . escapeshellarg($_GET['domain']));

    Example 1 is safe, because you cannot "inject" anything into it; it is a hard coded string.

    Example 2 is very unsafe, because you can easily inject something into the value of $_GET['domain'].

    Example 3 is mostly safe, because the escapeshellarg() function prevents people from adding in extra stuff like "rm -f /" or whatever...but this is not a good example of good coding practices.

    They should not have a problem leaving the exec() function on, but you can also use system() as long as you do not need access to the output of the command line program.

  4. #4
    Join Date
    Apr 2002
    Location
    Auckland - New Zealand
    Posts
    1,572
    As this is their own V-server, get the 'admins' to turn back on exec in php and give them a giant bollocking for turning it off and breaking the sites functionality!

    They might need to audit their code, if there is a problem with site however. It doesn't sound like anything you need to worry about really anyway.

  5. #5
    Join Date
    Jan 2002
    Location
    Luebeck/Germany
    Posts
    34
    That's exactly what I knew about exec security before, I just wanted to make sure I did not overlook something. All my scripts are using hard coded calls with parameters that come directy from my own validated data from the MySQL table so I'm sure it's safe. And I also need the output of the called program to use in in my script.

    Thanks a lot for the replies.

    Marian
    http://www.rent-a-tutor.com Software on the Web

  6. #6
    Join Date
    May 2009
    Location
    SLASH ROOT
    Posts
    853

Similar Threads

  1. PHP exec() problems with Xampplite
    By ElectricShaka in forum Programming Discussion
    Replies: 2
    Last Post: 03-15-2008, 10:09 AM
  2. Client exec problems
    By Mike Hobgood in forum Hosting Software and Control Panels
    Replies: 6
    Last Post: 03-19-2007, 12:16 PM
  3. Problems with Client Exec
    By jsgilly20 in forum Hosting Software and Control Panels
    Replies: 7
    Last Post: 10-03-2006, 04:56 PM
  4. exec() has been disabled for security reasons
    By zoomx in forum Hosting Security and Technology
    Replies: 6
    Last Post: 09-23-2005, 12:04 PM
  5. PHP's exec() a security hazard?
    By Skeptical in forum Hosting Security and Technology
    Replies: 2
    Last Post: 07-26-2004, 08:04 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •