Security Question about php exec and other similar functions

Security Question about php exec and other similar functions

risharderisharde Member
edited September 2012 in General

Hi everyone, noob question here, how safe is it to enable the php exec or similar functions in a hosting environment? Would you guys be kind enough to tell me whether you do or don't? If it is enabled, would it mean that processes running under a specific user can hack or root the linux box itself? What's your take on this?

Tagged:

Comments

  • Usually, it's not necessary. If you do find it to be necessary, chances are you're doing something wrong. If you're offering shared hosting, then there's really no reason to leave it enabled. If it's your own server and your own website, then you need to be extremely strict with what goes in. Ideally, no user-supplied input should ever go through exec, and if it absolutely must, filter filter filter. For example, I have a page on one of my sites that can do a traceroute or ping to a user-supplied IP address, and I use PHP FILTER_VALIDATE_IP on the input.

    Thanked by 1risharde
  • @NickM said: For example, I have a page on one of my sites that can do a traceroute or ping to a user-supplied IP address, and I use PHP FILTER_VALIDATE_IP on the input.

    I'm doing something similar, with my own filtering code and escapeshellcmd.

    SonicGlass 11 Locations- Amsterdam, Atlanta, Denver, Los Angeles, , Milan,
    SonicBoxes.com - VPS Tips, Tricks & Tutorials

    Thanked by 1risharde
  • Yes one of the reasons I asked was because I saw someone using a php script to do some exec commands and I was thinking that if it was a host node, its a bit dangerous... thanks for the replies and insights ;)

Sign In or Register to comment.