Section 6.3. Command Injection

Previous page
Table of content
Next page

6.3. Command Injection

The use of system commands is a dangerous operation, and this is particularly true when you use remote data to construct the command to be issued. When tainted data is used, this represents a command injection vulnerability.

The exec( ) function is a popular function used to execute a shell command. It returns the last line of the output of the command, but you can specify an array as the second argument, and each line of output is stored as an element of that array. It can be used as follows:

     <?php     $last = exec('ls', $output, $return);     print_r($output);     echo "Return [$return]";     ?>

Assume that the ls command provides the following output when executed manually from the shell:

     $ ls     total 0     -rw-rw-r--  1 chris chris 0 May 21 12:34 php-security     -rw-rw-r--  1 chris chris 0 May 21 12:34 chris-shiflett

When executed with exec( ) as shown in the prior example, the following output is generated:

     Array     (         [0] => total 0         [1] => -rw-rw-r--  1 chris chris 0 May 21 12:34 php-security         [2] => -rw-rw-r--  1 chris chris 0 May 21 12:34 chris-shiflett     )     Return [0]

This is a useful and convenient way to execute shell commands, but this convenience heightens your risk. If tainted data is used to construct the string to be executed, an attacker can execute arbitrary commands.

I recommend that you avoid using shell commands when possible and, when you must use them, ensure that you use only filtered data to construct the string to be executed, and always escape your output:

     <?php     $clean = array();     $shell = array();     /* Filter Input ($command, $argument) */     $shell['command'] = escapeshellcmd($clean['command']);     $shell['argument'] = escapeshellarg($clean['argument']);     $last = exec("{$shell['command']} {$shell['argument']}", $output, $return);     ?>

Although you can execute shell commands in many different ways, the best practice is to be consistentensure that you use only filtered and escaped data when constructing the string to be executed. Other functions that require careful attention include passthru( ), popen( ), shell_exec( ), and system( ). If at all possible, I recommend avoiding the use of shell commands altogether.



Previous page
Table of content
Next page
Essential PHP Security
Essential PHP Security
ISBN: 059600656X
EAN: 2147483647
Year: 2005
Pages: 110
Authors: Chris Shiflett
BUY ON AMAZON
Identifying and Managing Project Risk: Essential Tools for Failure-Proofing Your Project
Image Processing with LabVIEW and IMAQ Vision
C++ GUI Programming with Qt 3
Lotus Notes Developers Toolbox: Tips for Rapid and Successful Deployment
Oracle SQL*Plus: The Definitive Guide (Definitive Guides)
.NET-A Complete Development Cycle
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy