Solved

shell_exec()

Posted on 2004-08-10
13
881 Views
Last Modified: 2008-02-01
What are the risks involved to enable this command on the server, specially on Windows (IIS)? Can we minimize the risks after enabling it? Can we get our required results with anyother way and what is that?

Wasif Ghani
0
Comment
Question by:Muhammad Wasif
  • 6
  • 3
  • 2
  • +1
13 Comments
 
LVL 33

Accepted Solution

by:
snoyes_jw earned 240 total points
ID: 11764577
Depends on how much control you have over scripts that run.  If you are the only one that can run scripts, and you don't allow user input to control arguments to shell_exec without verifying and properly escaping them, it's not a big problem.  However, if anybody can either upload scriptst to run on your server, or can pass arbitrary commands through your scripts to shell_exec, you could have a problem.

As far as getting your required results a different way, it depends entirely on what it is you are trying to do.
0
 
LVL 33

Expert Comment

by:snoyes_jw
ID: 11764620
You can also limit damage by using safe_mode_exec_dir to only run programs contained in the specified directory, and then be careful with which programs you place in that directory.
0
 
LVL 20

Author Comment

by:Muhammad Wasif
ID: 11764740
; When safe_mode is on, only executables located in the safe_mode_exec_dir
; will be allowed to be executed via the exec family of functions.

This is written in the ini file. And i dont have safe mode on.
0
 
LVL 20

Author Comment

by:Muhammad Wasif
ID: 11764838
Also check "2. Don't Let Hackers Exploit DOS" on the following page

http://www.coordinated.co.za/discussions/viewtopic.php?t=220
0
 
LVL 9

Assisted Solution

by:_GeG_
_GeG_ earned 240 total points
ID: 11771153
coming from the linux world, I don't know for sure on windows, but I think the following will be true on any system:
* never use a shell when you don't need it. If you need to execute a program, use exec() instead of shell_exec()
* if you need a shell function, code it in php (ie a directory listing can easily be coded in php, you don't need shell_exec('dir')
* switch on safe_mode, it disables a lot of other security problems (for example with the dl() function, everybody can run shell commands)
* if you need to execute system commands, never let user input directly into the system command, not even sanitized, use predefined values:
exec('dir c:\web\'.escapeshellarg($userinput)) // is bad, by adding path .. to the path, the user will see thing he shouldn't
do it like that:
$array_of_allowed_dirs=array('user1'=>'c:\web\user1', 'user2'=>'c:\web\user2', 'user3'=>'c:\web\user3');
if (!isset($array_of_allowed_dirs($userinput)) $userinput='user1'; // if someone trys to cheat, use a sensible default
exec('dir '.$array_of_allowed_dirs($userinput));
* Only run a choosen few programs, from which you know they have no side effect (like being able to exec a shell themselves)
0
 
LVL 20

Author Comment

by:Muhammad Wasif
ID: 11771190
I have dedicated Windows server. I am using shell_exec() to encrypt data using GnuPG and I am not taking input from user for this purpose.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 5

Expert Comment

by:basiclife
ID: 11805766
Can others upload scripts to your server?
0
 
LVL 20

Author Comment

by:Muhammad Wasif
ID: 11807223
No one can upload anything on the server.
0
 
LVL 5

Assisted Solution

by:basiclife
basiclife earned 20 total points
ID: 11807361
In that case, you can use it perfectly safely. If others could upload, then they could upload a script to execute whatever they want. If you're the only one who can modify the server and you choose what it executes, there's no danger whatsoever (so long as you don't accidentally execute the wrong thing...)
0
 
LVL 20

Author Comment

by:Muhammad Wasif
ID: 11807392
>Also check "2. Don't Let Hackers Exploit DOS" on the following page
>http://www.coordinated.co.za/discussions/viewtopic.php?t=220

Did u read the above article? what do u say about the known bugs of IIS i.e
"Many of the known IIS vulnerabilities allow a URL to be constructed that ultimately causes CMD.EXE to be invoked on the server."

Can u explain that?
0
 
LVL 5

Expert Comment

by:basiclife
ID: 11807450
I hadn't read the article, however, I have had someone try to do it on my old IIS server. The exploit mentioned doesn't require PHP (at least as far as I understand it). The attacker tries to make the server access cmd.exe the same way it would a web page. PHP is not required for this, so PHP settings are a moot point.
0
 
LVL 9

Assisted Solution

by:_GeG_
_GeG_ earned 240 total points
ID: 11807620
@basiclife:
PHP is not required, but it provides another attack point, if all iis exploits are patched (hahaha)
@wasifg:
...I am using shell_exec() to encrypt data using GnuPG and I am not taking input from user for this purpose...
Where does the data that you want to encrypt come from? User input? Be very careful, for example if the user only chooses a file name that you want to send encrypted, the filename(user input, may be it's not a filename after all) will be in the shell's command line.
0
 
LVL 20

Author Comment

by:Muhammad Wasif
ID: 12110838
Sorry for the delay, i visited EE after a month.
Anyway, thanx.

Wasif Ghani
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Foreword (July, 2015) Since I first wrote this article, years ago, a great many more people have begun using the internet.  They are coming online from every part of the globe, learning, reading, shopping and spending money at an ever-increasing ra…
Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will learn how to dynamically set the form action using jQuery.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now