On Fri, 12 Oct 2012, Tim Johnson wrote:
> My research shows that php can do system calls, so that one could
> employ python or perl scripts as a back door. I'm still interested
> in the delivery of content directly to a drupal site from a
> non-PHP URL. However, if I do dig into drupal (and I probably
> will), I will find that out for myself with some testing.
How PHP executes system calls is extraordinarily insecure, since it treats
all calls as strings that need to be filtered through an actual shell.
What's worse is that rather than give you a relatively safer method of
calling, say, execvp(3), they insist you manually sanitize the strings with
things like escapeshellcmd() and escapeshellarg(). Your backdoor might get
more traffic than you intended.
Tread carefully.
PHP'ers: if my understanding is out of date, please correct me.
--Arthur Corliss
Live Free or Die
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Fri Oct 12 11:27:34 2012
This archive was generated by hypermail 2.1.8 : Fri Oct 12 2012 - 11:27:34 AKDT