July 26, 2014
Hot Topics:
RSS RSS feed Download our iPhone app

Mitigate the Security Risks of PHP System Command Execution

  • January 28, 2010
  • By Jason Gilmore
  • Send Email »
  • More Articles »

Creating web-based applications that integrate tightly with the underlying operating system is pretty easy to do. However, you must be vigilant to avoid the serious security issues that can arise due to unchecked user input. Fortunately, PHP's native functionality makes it easy to vet user input in a way that greatly reduces the likelihood of stolen or damaged server data.

When PHP is installed as an Apache module, it operates on behalf of the system user (which has assumed ownership of the Apache daemon). This means that when PHP executes an operating system command, the Apache daemon owner carries out that command. Therefore, any permissions assigned to the Apache daemon owner are applied when executing this command. Some improperly configured servers actually run Apache using the root user, meaning an errant PHP script could conceivably delete large parts of the operating system and any data stored within! Even in the more likely case of your server operating on behalf of a non-root user, the security risks remain nonetheless severe.

Clearly, you should avoid such gaffes at all costs. Thankfully, it's easy to avoid these sorts of security problems using native PHP syntax. Jason Gilmore explains how in his PHPBuilder tutorial, "Mitigate the Security Risks of PHP System Command Execution."


Read the full story at PHPBuilder.com:
Mitigate the Security Risks of PHP System Command Execution


Tags: PHP, security, validation, operating system, input




Comment and Contribute

 


(Maximum characters: 1200). You have characters left.

 

 


Sitemap | Contact Us

Rocket Fuel