6.3. Command Injection
The use of system commands is a dangerous operation, and this is particularly true when you use remote data to construct the command to be issued. When tainted data is used, this represents a command injection
vulnerability.
The exec( ) function is a popular function used to execute a shell command. It returns the last line of the output of the command, but you can specify an array as the second argument, and each line of output is stored as an element of that array. It can be used as follows:
<?php
$last = exec('ls', $output, $return);
print_r($output);
echo "Return [$return]";
?>
Assume that the ls command provides the following output when executed manually from the shell:
$ ls
total 0
-rw-rw-r-- 1 chris chris 0 May 21 12:34 php-security
-rw-rw-r-- 1 chris chris 0 May 21 12:34 chris-shiflett
When executed with exec( ) as shown in the prior example, the following output is generated:
Array
(
[0] => total 0
[1] => -rw-rw-r-- 1 chris chris 0 May 21 12:34 php-security
[2] => -rw-rw-r-- 1 chris chris 0 May 21 12:34 chris-shiflett
)
Return [0]
This is a useful and convenient way to execute shell commands, but this convenience heightens your risk. If tainted data is used to construct the string to be executed, an attacker can execute arbitrary commands.
I recommend that you avoid using shell commands when possible and, when you must use them, ensure that you use only filtered data to construct the string to be executed, and always escape your output:
<?php
$clean = array();
$shell = array();
/* Filter Input ($command, $argument) */
$shell['command'] = escapeshellcmd($clean['command']);
$shell['argument'] = escapeshellarg($clean['argument']);
$last = exec("{$shell['command']} {$shell['argument']}", $output, $return);
?>
Although you can execute shell commands in many different ways, the best practice is to be consistentensure that you use only filtered and escaped data when constructing the string to be executed. Other functions that require careful attention include passthru( ), popen( ), shell_exec( ), and system( ). If at all possible, I recommend avoiding the use of shell commands altogether.
| 