Re: php/apache security question

From: DENNIS BYRNE <asdcb1@uaa.alaska.edu>
Date: Sat Mar 13 2004 - 16:38:18 AKST

> my question.... what security concerns should I have with the call
> "shell_exec ("traceroute $ip")"? I would image this is getting
> executed with the privileges of my Apache user - is this a good
> thing?

looks good as long as the user cannot assign something like the
following value to the variable of $ip :
" ; rm -rf /"

this can happen if you don't initialize $ip to something, which you
have. But what if someone sends the following request to the server
<the url>?ip=<evil code goes here> , you are in trouble.

Dennis Byrne

----- Original Message -----
From: Scott Johnson <scott@akghetto.com>
Date: Saturday, March 13, 2004 2:55 pm
Subject: php/apache security question

> I've written my first PHP web page and was hoping I could get
> someone
> with more security knowledge than me to throw in a comment or two.
>
> Here's the source:
>
> <?php
> $ip = $_SERVER['REMOTE_ADDR'];
>
> print "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.1//EN\"
> \"\n"." target="l">http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd\">\n".
> "<html>\n".
> "<head>\n".
> "<meta http-equiv=\"Content-Type\" content=\"text/html\;
> charset=iso-8859-1\"/>\n".
> "<title>scottjohnson.us - what is my IP?</title>\n".
> "<link href=\"style.css\" rel=\"stylesheet\"
> type=\"text/css\"/>\n".
> "</head>\n".
> "<body>\n".
> "<div class=\"header1\">Your IP address
> is:<br/><br/></div>\n". "<div
> class=\"ip\"><b>".$ip."</b><br/><br/></div>\n".
> "<div><hr/><br/><br/></div>\n". "<div
> class=\"header1\">Your host name is:<br/><br/></div>\n".
> "<div
> class=\"ip\"><b>".gethostbyaddr($ip)."</b><br/><br/></div>\n".
> "<div><hr/><br/><br/></div>\n".
> "<div class=\"header1\">Traceroute:<br/><br/></div>\n".
> "<div class=\"trace\"><b><pre>".shell_exec ("traceroute
> $ip")."</pre></b><br/><br/></div>\n".
> "<div><br/><br/></div>\n".
> "<div class=\"w3c\"><img style=\"w3c\"
> src=\"http://www.w3.org/Icons/valid-xhtml11\" alt=\"Valid XHTML
> 1.1!\"
> /> <img style=\"w3c\"
> src=\"http://jigsaw.w3.org/css-validator/images/vcss\" alt=\"Valid
> CSS!\" /></div>\n".
> "</body>\n".
> "</html>\n";
>
> shell_exec ("killall -q traceroute");
> ?>
>
> my question.... what security concerns should I have with the call
> "shell_exec ("traceroute $ip")"? I would image this is getting
> executed with the privileges of my Apache user - is this a good
> thing?
> Is there a better way to call this traceroute command?
>
> Any comments/suggestions appreciated. Like I said, this is my
> first
> PHP script - working on converting over my ASP sites to PHP, and
> this
> code alone took me an hour.
>
> Scott
>
> ---------
> To unsubscribe, send email to <aklug-request@aklug.org>
> with 'unsubscribe' in the message body.
>
>
>

---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Sat Mar 13 16:38:01 2004

This archive was generated by hypermail 2.1.8 : Sat Mar 13 2004 - 16:38:01 AKST