Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

shell_exec()

Posted on 2004-08-10
13
Medium Priority
?
939 Views
Last Modified: 2008-02-01
What are the risks involved to enable this command on the server, specially on Windows (IIS)? Can we minimize the risks after enabling it? Can we get our required results with anyother way and what is that?

Wasif Ghani
0
Comment
Question by:Muhammad Wasif
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
  • 2
  • +1
13 Comments
 
LVL 33

Accepted Solution

by:
snoyes_jw earned 720 total points
ID: 11764577
Depends on how much control you have over scripts that run.  If you are the only one that can run scripts, and you don't allow user input to control arguments to shell_exec without verifying and properly escaping them, it's not a big problem.  However, if anybody can either upload scriptst to run on your server, or can pass arbitrary commands through your scripts to shell_exec, you could have a problem.

As far as getting your required results a different way, it depends entirely on what it is you are trying to do.
0
 
LVL 33

Expert Comment

by:snoyes_jw
ID: 11764620
You can also limit damage by using safe_mode_exec_dir to only run programs contained in the specified directory, and then be careful with which programs you place in that directory.
0
 
LVL 20

Author Comment

by:Muhammad Wasif
ID: 11764740
; When safe_mode is on, only executables located in the safe_mode_exec_dir
; will be allowed to be executed via the exec family of functions.

This is written in the ini file. And i dont have safe mode on.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 20

Author Comment

by:Muhammad Wasif
ID: 11764838
Also check "2. Don't Let Hackers Exploit DOS" on the following page

http://www.coordinated.co.za/discussions/viewtopic.php?t=220
0
 
LVL 9

Assisted Solution

by:_GeG_
_GeG_ earned 720 total points
ID: 11771153
coming from the linux world, I don't know for sure on windows, but I think the following will be true on any system:
* never use a shell when you don't need it. If you need to execute a program, use exec() instead of shell_exec()
* if you need a shell function, code it in php (ie a directory listing can easily be coded in php, you don't need shell_exec('dir')
* switch on safe_mode, it disables a lot of other security problems (for example with the dl() function, everybody can run shell commands)
* if you need to execute system commands, never let user input directly into the system command, not even sanitized, use predefined values:
exec('dir c:\web\'.escapeshellarg($userinput)) // is bad, by adding path .. to the path, the user will see thing he shouldn't
do it like that:
$array_of_allowed_dirs=array('user1'=>'c:\web\user1', 'user2'=>'c:\web\user2', 'user3'=>'c:\web\user3');
if (!isset($array_of_allowed_dirs($userinput)) $userinput='user1'; // if someone trys to cheat, use a sensible default
exec('dir '.$array_of_allowed_dirs($userinput));
* Only run a choosen few programs, from which you know they have no side effect (like being able to exec a shell themselves)
0
 
LVL 20

Author Comment

by:Muhammad Wasif
ID: 11771190
I have dedicated Windows server. I am using shell_exec() to encrypt data using GnuPG and I am not taking input from user for this purpose.
0
 
LVL 5

Expert Comment

by:basiclife
ID: 11805766
Can others upload scripts to your server?
0
 
LVL 20

Author Comment

by:Muhammad Wasif
ID: 11807223
No one can upload anything on the server.
0
 
LVL 5

Assisted Solution

by:basiclife
basiclife earned 60 total points
ID: 11807361
In that case, you can use it perfectly safely. If others could upload, then they could upload a script to execute whatever they want. If you're the only one who can modify the server and you choose what it executes, there's no danger whatsoever (so long as you don't accidentally execute the wrong thing...)
0
 
LVL 20

Author Comment

by:Muhammad Wasif
ID: 11807392
>Also check "2. Don't Let Hackers Exploit DOS" on the following page
>http://www.coordinated.co.za/discussions/viewtopic.php?t=220

Did u read the above article? what do u say about the known bugs of IIS i.e
"Many of the known IIS vulnerabilities allow a URL to be constructed that ultimately causes CMD.EXE to be invoked on the server."

Can u explain that?
0
 
LVL 5

Expert Comment

by:basiclife
ID: 11807450
I hadn't read the article, however, I have had someone try to do it on my old IIS server. The exploit mentioned doesn't require PHP (at least as far as I understand it). The attacker tries to make the server access cmd.exe the same way it would a web page. PHP is not required for this, so PHP settings are a moot point.
0
 
LVL 9

Assisted Solution

by:_GeG_
_GeG_ earned 720 total points
ID: 11807620
@basiclife:
PHP is not required, but it provides another attack point, if all iis exploits are patched (hahaha)
@wasifg:
...I am using shell_exec() to encrypt data using GnuPG and I am not taking input from user for this purpose...
Where does the data that you want to encrypt come from? User input? Be very careful, for example if the user only chooses a file name that you want to send encrypted, the filename(user input, may be it's not a filename after all) will be in the shell's command line.
0
 
LVL 20

Author Comment

by:Muhammad Wasif
ID: 12110838
Sorry for the delay, i visited EE after a month.
Anyway, thanx.

Wasif Ghani
0

Featured Post

[Webinar] Lessons on Recovering from Petya

Skyport is working hard to help customers recover from recent attacks, like the Petya worm. This work has brought to light some important lessons. New malware attacks like this can take down your entire environment. Learn from others mistakes on how to prevent Petya like worms.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Developers of all skill levels should learn to use current best practices when developing websites. However many developers, new and old, fall into the trap of using deprecated features because this is what so many tutorials and books tell them to u…
Many old projects have bad code, but the budget doesn't exist to rewrite the codebase. You can update this code to be safer by introducing contemporary input validation, sanitation, and safer database queries.
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
The viewer will learn how to dynamically set the form action using jQuery.

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question