Re: php/apache security question

Looks good to me.

Dennis Byrne

----- Original Message -----
From: Scott Johnson <scott@akghetto.com>
Date: Saturday, March 13, 2004 5:40 pm
Subject: Re: php/apache security question

> well I have IP set to the remote IP address... is that not good
> enough?
> On 13 Mar 2004, at 16:37, DENNIS BYRNE wrote:
>
> >> my question.... what security concerns should I have with the call
> >> "shell_exec ("traceroute $ip")"? I would image this is getting
> >> executed with the privileges of my Apache user - is this a good
> >> thing?
> >
> > looks good as long as the user cannot assign something like the
> > following value to the variable of $ip :
> > " ; rm -rf /"
> >
> > this can happen if you don't initialize $ip to something, which you
> > have. But what if someone sends the following request to the server
> > <the url>?ip=<evil code goes here> , you are in trouble.
> >
> >> Any comments/suggestions appreciated. Like I said, this is my
> >> first
> >> PHP script - working on converting over my ASP sites to PHP, and
> >> this
> >> code alone took me an hour.
> >>
> >> Scott
> >>
> >> ---------
> >> To unsubscribe, send email to <aklug-request@aklug.org>
> >> with 'unsubscribe' in the message body.
> >>
> >>
> >>
> >
>
>
>

---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Sat Mar 13 19:40:09 2004