Page 1 of 1

Is this code dangerous?

Posted: Sun Dec 10, 2006 6:18 pm
by impulse()
I've been reading a book on PHP security which is heavily focused of filtering any data that is sent to the server and I've gone back to an old script I created which is a web based PHP dig/ping/whois tool. It allows users to enter a domain or IP and obtain details using the function

Code: Select all

system
. Can you tell me if the following script has any jepoardy on the server it's running on?

Code: Select all

<form method = "post" action = "dig.php">
<b>Host: <input type = "text" name = "host">
<input type = "submit" value = "Dig">
</form>

<?

$host = $_POST["host"];

?>

<table>
  <tr>
    <td bgcolor = "black"><font color="white">
    <?

    if (isset($host)) {
      system("dig $host");
    }
    ?>

    </td>
  </tr>
</table>
?>

Posted: Sun Dec 10, 2006 7:52 pm
by nickvd
Try this... enter "; ls -la" and check the output... it'll probably show you a list of files.

Assuming that worked, i could then enter "; cat /etc/passwd" which will get me a list of user accounts on the system...

The best defense would be to use escape_shell_args() on the input to sanitize it.

The very best defense would be to not use system() but find a webservice that does what you need (assuming you are checking availability, or other dns information), that way you wont have to worry about it.