Hello all:
I've recently written a small PHP script to collect information and send an email to the graphic artist. Easy enough, and carefully cleaned of HTML tags for XSS vulnerabilities.
My question is about shell script injection vulnerabilities. If the information is properly sanitized (IE regex, htmlentities()) it won't have a problem, but if I'm not using shell_exec() or some other function to make the input run as a shell script, is the average HTML form vulnerable to such an injection attack? In example, if some user entered a PHP command using the backtick to run it as a shell script, would the server interpret it that way and try to run it as a shell script without a PHP shell command on the backside?
All of the information I've found on this subject relates to running your own shell scripts and ensuring that user input is properly sanitized, and doesn't really address the question of incidental vulnerability. I ask because I haven't found a definitive answer and want to understand PHP's abilities as well as I can.
Thank you!
PHP Shell Script Injection
Moderator: General Moderators
- John Cartwright
- Site Admin
- Posts: 11470
- Joined: Tue Dec 23, 2003 2:10 am
- Location: Toronto
- Contact:
Jcart:
No, I'm not running anything through eval() or any other shell command. The entire form is just a $_POST['information'] collector that sanitizes and sends it to the artist.
I'm not running it through escapeshellarg() or escapeshellcommand(), but will update my regex to add another layer of security.
Thank you for the quick response.
No, I'm not running anything through eval() or any other shell command. The entire form is just a $_POST['information'] collector that sanitizes and sends it to the artist.
I'm not running it through escapeshellarg() or escapeshellcommand(), but will update my regex to add another layer of security.
Thank you for the quick response.