Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

shell_exec()

Posted on 2004-08-10
13
Medium Priority
?
945 Views
Last Modified: 2008-02-01
What are the risks involved to enable this command on the server, specially on Windows (IIS)? Can we minimize the risks after enabling it? Can we get our required results with anyother way and what is that?

Wasif Ghani
0
Comment
Question by:Muhammad Wasif
  • 6
  • 3
  • 2
  • +1
13 Comments
 
LVL 33

Accepted Solution

by:
snoyes_jw earned 720 total points
ID: 11764577
Depends on how much control you have over scripts that run.  If you are the only one that can run scripts, and you don't allow user input to control arguments to shell_exec without verifying and properly escaping them, it's not a big problem.  However, if anybody can either upload scriptst to run on your server, or can pass arbitrary commands through your scripts to shell_exec, you could have a problem.

As far as getting your required results a different way, it depends entirely on what it is you are trying to do.
0
 
LVL 33

Expert Comment

by:snoyes_jw
ID: 11764620
You can also limit damage by using safe_mode_exec_dir to only run programs contained in the specified directory, and then be careful with which programs you place in that directory.
0
 
LVL 20

Author Comment

by:Muhammad Wasif
ID: 11764740
; When safe_mode is on, only executables located in the safe_mode_exec_dir
; will be allowed to be executed via the exec family of functions.

This is written in the ini file. And i dont have safe mode on.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 20

Author Comment

by:Muhammad Wasif
ID: 11764838
Also check "2. Don't Let Hackers Exploit DOS" on the following page

http://www.coordinated.co.za/discussions/viewtopic.php?t=220
0
 
LVL 9

Assisted Solution

by:_GeG_
_GeG_ earned 720 total points
ID: 11771153
coming from the linux world, I don't know for sure on windows, but I think the following will be true on any system:
* never use a shell when you don't need it. If you need to execute a program, use exec() instead of shell_exec()
* if you need a shell function, code it in php (ie a directory listing can easily be coded in php, you don't need shell_exec('dir')
* switch on safe_mode, it disables a lot of other security problems (for example with the dl() function, everybody can run shell commands)
* if you need to execute system commands, never let user input directly into the system command, not even sanitized, use predefined values:
exec('dir c:\web\'.escapeshellarg($userinput)) // is bad, by adding path .. to the path, the user will see thing he shouldn't
do it like that:
$array_of_allowed_dirs=array('user1'=>'c:\web\user1', 'user2'=>'c:\web\user2', 'user3'=>'c:\web\user3');
if (!isset($array_of_allowed_dirs($userinput)) $userinput='user1'; // if someone trys to cheat, use a sensible default
exec('dir '.$array_of_allowed_dirs($userinput));
* Only run a choosen few programs, from which you know they have no side effect (like being able to exec a shell themselves)
0
 
LVL 20

Author Comment

by:Muhammad Wasif
ID: 11771190
I have dedicated Windows server. I am using shell_exec() to encrypt data using GnuPG and I am not taking input from user for this purpose.
0
 
LVL 5

Expert Comment

by:basiclife
ID: 11805766
Can others upload scripts to your server?
0
 
LVL 20

Author Comment

by:Muhammad Wasif
ID: 11807223
No one can upload anything on the server.
0
 
LVL 5

Assisted Solution

by:basiclife
basiclife earned 60 total points
ID: 11807361
In that case, you can use it perfectly safely. If others could upload, then they could upload a script to execute whatever they want. If you're the only one who can modify the server and you choose what it executes, there's no danger whatsoever (so long as you don't accidentally execute the wrong thing...)
0
 
LVL 20

Author Comment

by:Muhammad Wasif
ID: 11807392
>Also check "2. Don't Let Hackers Exploit DOS" on the following page
>http://www.coordinated.co.za/discussions/viewtopic.php?t=220

Did u read the above article? what do u say about the known bugs of IIS i.e
"Many of the known IIS vulnerabilities allow a URL to be constructed that ultimately causes CMD.EXE to be invoked on the server."

Can u explain that?
0
 
LVL 5

Expert Comment

by:basiclife
ID: 11807450
I hadn't read the article, however, I have had someone try to do it on my old IIS server. The exploit mentioned doesn't require PHP (at least as far as I understand it). The attacker tries to make the server access cmd.exe the same way it would a web page. PHP is not required for this, so PHP settings are a moot point.
0
 
LVL 9

Assisted Solution

by:_GeG_
_GeG_ earned 720 total points
ID: 11807620
@basiclife:
PHP is not required, but it provides another attack point, if all iis exploits are patched (hahaha)
@wasifg:
...I am using shell_exec() to encrypt data using GnuPG and I am not taking input from user for this purpose...
Where does the data that you want to encrypt come from? User input? Be very careful, for example if the user only chooses a file name that you want to send encrypted, the filename(user input, may be it's not a filename after all) will be in the shell's command line.
0
 
LVL 20

Author Comment

by:Muhammad Wasif
ID: 12110838
Sorry for the delay, i visited EE after a month.
Anyway, thanx.

Wasif Ghani
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Author Note: Since this E-E article was originally written, years ago, formal testing has come into common use in the world of PHP.  PHPUnit (http://en.wikipedia.org/wiki/PHPUnit) and similar technologies have enjoyed wide adoption, making it possib…
I imagine that there are some, like me, who require a way of getting currency exchange rates for implementation in web project from time to time, so I thought I would share a solution that I have developed for this purpose. It turns out that Yaho…
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …
Suggested Courses

971 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question