php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #20951 PHP shell functions always call cmd.exe - potential security issue
Submitted: 2002-12-11 23:16 UTC Modified: 2002-12-28 05:20 UTC
Votes:9
Avg. Score:4.3 ± 0.9
Reproduced:4 of 7 (57.1%)
Same Version:2 (50.0%)
Same OS:4 (100.0%)
From: WPinegar at healthtech dot net Assigned:
Status: Wont fix Package: IIS related
PHP Version: 4CVS-2002-12-11 (dev) OS: Windows .Net Server 2003 RC2
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: WPinegar at healthtech dot net
New email:
PHP Version: OS:

 

 [2002-12-11 23:16 UTC] WPinegar at healthtech dot net
Windows.Net Server 2003 has instituted a new security measure that causes problems with any of the shell related functions in PHP.

Windows.Net Server changes the ACL's on EXE's in the %windir%\system32 subdirectory.  In particular CMD.EXE can no longer be executed by the "anonymous" user account (ie, IUSR_COMPUTERNAME)--there is a specific Deny ACL created by the Windows.Net Server installer.  Since PHP calls CMD.EXE to execute any external shell program PHP requires that CMD.EXE be reconfigured for anonymous access anytime a PHP page needs to call an external program.  This design is no longer a good idea because PHP forces the web administrator to open up a potential security hole in the system by re-enabling access to CMD.EXE.

The shell functions in PHP should call the application directly instead of always calling CMD.EXE?  If the PHP programmer wants to call a feature of the CMD intreperter then he should be forced to call the shell command like `CMD /C dir *.*`;  Only then would the administrator be required to allow access to the command intreperter.

Please consider this modification as it will make Windows.Net Server more secure when running PHP.  Or at least add configuration option to PHP.INI that will modify the behavior of the shell functions to no longer directly call CMD.EXE

Thank you!

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-12-26 20:19 UTC] edink@php.net
There were many other probmlems with executing applications from within a web server environment that were solved by requiring the execution through cmd /c. I guess system administrators would have to configure there servers accordingly.
 [2002-12-27 22:06 UTC] WPinegar at healthtech dot net
Bummer.  You should at least consider making this optional in the future (via an INI setting).  Do you remember what problems you ran into before that were fixed by calling CMD.EXE?

I went over this several times and didn't find a good reason to ALWAYS call CMD.EXE.  Any webserver would definately web more secure if PHP didn't require access to CMD.EXE to call external programs.

The Deny ACL instituted by Windows.Net Server just hilights how much a security concern Microsoft thought it was....
 [2002-12-28 05:20 UTC] derick@php.net
Executing programs from within a scripting language always is less secure then just using PHP for everything. (please leave the status to "Won't fix")
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Nov 22 19:01:31 2024 UTC