[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 953
  • Last Modified:

shell_exec()

What are the risks involved to enable this command on the server, specially on Windows (IIS)? Can we minimize the risks after enabling it? Can we get our required results with anyother way and what is that?

Wasif Ghani
0
Muhammad Wasif
Asked:
Muhammad Wasif
  • 6
  • 3
  • 2
  • +1
4 Solutions
 
snoyes_jwCommented:
Depends on how much control you have over scripts that run.  If you are the only one that can run scripts, and you don't allow user input to control arguments to shell_exec without verifying and properly escaping them, it's not a big problem.  However, if anybody can either upload scriptst to run on your server, or can pass arbitrary commands through your scripts to shell_exec, you could have a problem.

As far as getting your required results a different way, it depends entirely on what it is you are trying to do.
0
 
snoyes_jwCommented:
You can also limit damage by using safe_mode_exec_dir to only run programs contained in the specified directory, and then be careful with which programs you place in that directory.
0
 
Muhammad WasifAuthor Commented:
; When safe_mode is on, only executables located in the safe_mode_exec_dir
; will be allowed to be executed via the exec family of functions.

This is written in the ini file. And i dont have safe mode on.
0
Learn to develop an Android App

Want to increase your earning potential in 2018? Pad your resume with app building experience. Learn how with this hands-on course.

 
Muhammad WasifAuthor Commented:
Also check "2. Don't Let Hackers Exploit DOS" on the following page

http://www.coordinated.co.za/discussions/viewtopic.php?t=220
0
 
_GeG_Commented:
coming from the linux world, I don't know for sure on windows, but I think the following will be true on any system:
* never use a shell when you don't need it. If you need to execute a program, use exec() instead of shell_exec()
* if you need a shell function, code it in php (ie a directory listing can easily be coded in php, you don't need shell_exec('dir')
* switch on safe_mode, it disables a lot of other security problems (for example with the dl() function, everybody can run shell commands)
* if you need to execute system commands, never let user input directly into the system command, not even sanitized, use predefined values:
exec('dir c:\web\'.escapeshellarg($userinput)) // is bad, by adding path .. to the path, the user will see thing he shouldn't
do it like that:
$array_of_allowed_dirs=array('user1'=>'c:\web\user1', 'user2'=>'c:\web\user2', 'user3'=>'c:\web\user3');
if (!isset($array_of_allowed_dirs($userinput)) $userinput='user1'; // if someone trys to cheat, use a sensible default
exec('dir '.$array_of_allowed_dirs($userinput));
* Only run a choosen few programs, from which you know they have no side effect (like being able to exec a shell themselves)
0
 
Muhammad WasifAuthor Commented:
I have dedicated Windows server. I am using shell_exec() to encrypt data using GnuPG and I am not taking input from user for this purpose.
0
 
basiclifeCommented:
Can others upload scripts to your server?
0
 
Muhammad WasifAuthor Commented:
No one can upload anything on the server.
0
 
basiclifeCommented:
In that case, you can use it perfectly safely. If others could upload, then they could upload a script to execute whatever they want. If you're the only one who can modify the server and you choose what it executes, there's no danger whatsoever (so long as you don't accidentally execute the wrong thing...)
0
 
Muhammad WasifAuthor Commented:
>Also check "2. Don't Let Hackers Exploit DOS" on the following page
>http://www.coordinated.co.za/discussions/viewtopic.php?t=220

Did u read the above article? what do u say about the known bugs of IIS i.e
"Many of the known IIS vulnerabilities allow a URL to be constructed that ultimately causes CMD.EXE to be invoked on the server."

Can u explain that?
0
 
basiclifeCommented:
I hadn't read the article, however, I have had someone try to do it on my old IIS server. The exploit mentioned doesn't require PHP (at least as far as I understand it). The attacker tries to make the server access cmd.exe the same way it would a web page. PHP is not required for this, so PHP settings are a moot point.
0
 
_GeG_Commented:
@basiclife:
PHP is not required, but it provides another attack point, if all iis exploits are patched (hahaha)
@wasifg:
...I am using shell_exec() to encrypt data using GnuPG and I am not taking input from user for this purpose...
Where does the data that you want to encrypt come from? User input? Be very careful, for example if the user only chooses a file name that you want to send encrypted, the filename(user input, may be it's not a filename after all) will be in the shell's command line.
0
 
Muhammad WasifAuthor Commented:
Sorry for the delay, i visited EE after a month.
Anyway, thanx.

Wasif Ghani
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

  • 6
  • 3
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now