shell_exec()

What are the risks involved to enable this command on the server, specially on Windows (IIS)? Can we minimize the risks after enabling it? Can we get our required results with anyother way and what is that?

Wasif Ghani
LVL 20
Muhammad WasifAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
snoyes_jwConnect With a Mentor Commented:
Depends on how much control you have over scripts that run.  If you are the only one that can run scripts, and you don't allow user input to control arguments to shell_exec without verifying and properly escaping them, it's not a big problem.  However, if anybody can either upload scriptst to run on your server, or can pass arbitrary commands through your scripts to shell_exec, you could have a problem.

As far as getting your required results a different way, it depends entirely on what it is you are trying to do.
0
 
snoyes_jwCommented:
You can also limit damage by using safe_mode_exec_dir to only run programs contained in the specified directory, and then be careful with which programs you place in that directory.
0
 
Muhammad WasifAuthor Commented:
; When safe_mode is on, only executables located in the safe_mode_exec_dir
; will be allowed to be executed via the exec family of functions.

This is written in the ini file. And i dont have safe mode on.
0
Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
Muhammad WasifAuthor Commented:
Also check "2. Don't Let Hackers Exploit DOS" on the following page

http://www.coordinated.co.za/discussions/viewtopic.php?t=220
0
 
_GeG_Connect With a Mentor Commented:
coming from the linux world, I don't know for sure on windows, but I think the following will be true on any system:
* never use a shell when you don't need it. If you need to execute a program, use exec() instead of shell_exec()
* if you need a shell function, code it in php (ie a directory listing can easily be coded in php, you don't need shell_exec('dir')
* switch on safe_mode, it disables a lot of other security problems (for example with the dl() function, everybody can run shell commands)
* if you need to execute system commands, never let user input directly into the system command, not even sanitized, use predefined values:
exec('dir c:\web\'.escapeshellarg($userinput)) // is bad, by adding path .. to the path, the user will see thing he shouldn't
do it like that:
$array_of_allowed_dirs=array('user1'=>'c:\web\user1', 'user2'=>'c:\web\user2', 'user3'=>'c:\web\user3');
if (!isset($array_of_allowed_dirs($userinput)) $userinput='user1'; // if someone trys to cheat, use a sensible default
exec('dir '.$array_of_allowed_dirs($userinput));
* Only run a choosen few programs, from which you know they have no side effect (like being able to exec a shell themselves)
0
 
Muhammad WasifAuthor Commented:
I have dedicated Windows server. I am using shell_exec() to encrypt data using GnuPG and I am not taking input from user for this purpose.
0
 
basiclifeCommented:
Can others upload scripts to your server?
0
 
Muhammad WasifAuthor Commented:
No one can upload anything on the server.
0
 
basiclifeConnect With a Mentor Commented:
In that case, you can use it perfectly safely. If others could upload, then they could upload a script to execute whatever they want. If you're the only one who can modify the server and you choose what it executes, there's no danger whatsoever (so long as you don't accidentally execute the wrong thing...)
0
 
Muhammad WasifAuthor Commented:
>Also check "2. Don't Let Hackers Exploit DOS" on the following page
>http://www.coordinated.co.za/discussions/viewtopic.php?t=220

Did u read the above article? what do u say about the known bugs of IIS i.e
"Many of the known IIS vulnerabilities allow a URL to be constructed that ultimately causes CMD.EXE to be invoked on the server."

Can u explain that?
0
 
basiclifeCommented:
I hadn't read the article, however, I have had someone try to do it on my old IIS server. The exploit mentioned doesn't require PHP (at least as far as I understand it). The attacker tries to make the server access cmd.exe the same way it would a web page. PHP is not required for this, so PHP settings are a moot point.
0
 
_GeG_Connect With a Mentor Commented:
@basiclife:
PHP is not required, but it provides another attack point, if all iis exploits are patched (hahaha)
@wasifg:
...I am using shell_exec() to encrypt data using GnuPG and I am not taking input from user for this purpose...
Where does the data that you want to encrypt come from? User input? Be very careful, for example if the user only chooses a file name that you want to send encrypted, the filename(user input, may be it's not a filename after all) will be in the shell's command line.
0
 
Muhammad WasifAuthor Commented:
Sorry for the delay, i visited EE after a month.
Anyway, thanx.

Wasif Ghani
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.