Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Security Question about php exec and other similar functions
New on LowEndTalk? Please Register and read our Community Rules.

Security Question about php exec and other similar functions

risharderisharde Member
edited September 2012 in General

Hi everyone, noob question here, how safe is it to enable the php exec or similar functions in a hosting environment? Would you guys be kind enough to tell me whether you do or don't? If it is enabled, would it mean that processes running under a specific user can hack or root the linux box itself? What's your take on this?

BF/CM Grabs: 1-GeorgeDataCenter, 1-Netcup, 1-Avoro, 1-PHP-Friends, 1-Virtono, 1-AlphaVPS, 1-VirMach ($1/year!), 1-MxRoute
Other VPS: 4-Virmachs, 2-GreenCloudVPS

Comments

  • Usually, it's not necessary. If you do find it to be necessary, chances are you're doing something wrong. If you're offering shared hosting, then there's really no reason to leave it enabled. If it's your own server and your own website, then you need to be extremely strict with what goes in. Ideally, no user-supplied input should ever go through exec, and if it absolutely must, filter filter filter. For example, I have a page on one of my sites that can do a traceroute or ping to a user-supplied IP address, and I use PHP FILTER_VALIDATE_IP on the input.

    Thanked by 1risharde
  • @NickM said: For example, I have a page on one of my sites that can do a traceroute or ping to a user-supplied IP address, and I use PHP FILTER_VALIDATE_IP on the input.

    I'm doing something similar, with my own filtering code and escapeshellcmd.

    Thanked by 1risharde

    SonicBoxes.com - VPS Tips, Tricks & Tutorials
    6UA.net Various tools, screenshots, password gen, looking glass, etc..

  • Yes one of the reasons I asked was because I saw someone using a php script to do some exec commands and I was thinking that if it was a host node, its a bit dangerous... thanks for the replies and insights ;)

    BF/CM Grabs: 1-GeorgeDataCenter, 1-Netcup, 1-Avoro, 1-PHP-Friends, 1-Virtono, 1-AlphaVPS, 1-VirMach ($1/year!), 1-MxRoute
    Other VPS: 4-Virmachs, 2-GreenCloudVPS

Sign In or Register to comment.