Page 1 of 1

PHP Shell Script Injection

Posted: Mon Jun 19, 2006 1:58 pm
by 1Copenut
Hello all:

I've recently written a small PHP script to collect information and send an email to the graphic artist. Easy enough, and carefully cleaned of HTML tags for XSS vulnerabilities.

My question is about shell script injection vulnerabilities. If the information is properly sanitized (IE regex, htmlentities()) it won't have a problem, but if I'm not using shell_exec() or some other function to make the input run as a shell script, is the average HTML form vulnerable to such an injection attack? In example, if some user entered a PHP command using the backtick to run it as a shell script, would the server interpret it that way and try to run it as a shell script without a PHP shell command on the backside?

All of the information I've found on this subject relates to running your own shell scripts and ensuring that user input is properly sanitized, and doesn't really address the question of incidental vulnerability. I ask because I haven't found a definitive answer and want to understand PHP's abilities as well as I can.

Thank you!

Posted: Mon Jun 19, 2006 2:00 pm
by John Cartwright
unless your running your input through eval() or alike, none of the input will be interpreted as PHP code. I hope I understood correctly.

Posted: Mon Jun 19, 2006 2:01 pm
by santosj
You could use PHP Shell escaping functions, but I don't have them off hand. They are referenced in the shell_exec() page.

Posted: Mon Jun 19, 2006 2:08 pm
by 1Copenut
Jcart:

No, I'm not running anything through eval() or any other shell command. The entire form is just a $_POST['information'] collector that sanitizes and sends it to the artist.

I'm not running it through escapeshellarg() or escapeshellcommand(), but will update my regex to add another layer of security.

Thank you for the quick response.