Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Security Question about php exec and other similar functions
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Security Question about php exec and other similar functions

risharderisharde Patron Provider, Veteran
edited September 2012 in General

Hi everyone, noob question here, how safe is it to enable the php exec or similar functions in a hosting environment? Would you guys be kind enough to tell me whether you do or don't? If it is enabled, would it mean that processes running under a specific user can hack or root the linux box itself? What's your take on this?

Comments

  • Usually, it's not necessary. If you do find it to be necessary, chances are you're doing something wrong. If you're offering shared hosting, then there's really no reason to leave it enabled. If it's your own server and your own website, then you need to be extremely strict with what goes in. Ideally, no user-supplied input should ever go through exec, and if it absolutely must, filter filter filter. For example, I have a page on one of my sites that can do a traceroute or ping to a user-supplied IP address, and I use PHP FILTER_VALIDATE_IP on the input.

    Thanked by 1risharde
  • @NickM said: For example, I have a page on one of my sites that can do a traceroute or ping to a user-supplied IP address, and I use PHP FILTER_VALIDATE_IP on the input.

    I'm doing something similar, with my own filtering code and escapeshellcmd.

    Thanked by 1risharde
  • risharderisharde Patron Provider, Veteran

    Yes one of the reasons I asked was because I saw someone using a php script to do some exec commands and I was thinking that if it was a host node, its a bit dangerous... thanks for the replies and insights ;)

Sign In or Register to comment.