php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #17416 using exec
Submitted: 2002-05-24 15:22 UTC Modified: 2002-05-24 16:30 UTC
From: zony at zonehomes dot com Assigned:
Status: Not a bug Package: *Directory/Filesystem functions
PHP Version: 4.2.1 OS: Windows 2000 IIS 5 SP2
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: zony at zonehomes dot com
New email:
PHP Version: OS:

 

 [2002-05-24 15:22 UTC] zony at zonehomes dot com
Why not just have php.exe call the cmd.exe in the system process? I'd recommend allowing a choice. Either pass the logged on user or let php handle exec() in the system process (default behavior). One already allows IUSR permissions to php.exe.

That way you wouldn't have to worry about requests like this (all the nimda variants et al):
'/scripts/..%c1%1c../winnt/system32/cmd.exe'

Coming from the Microsoft world of programming for the past 9 years I see this as a bug. If you see it as a feature request, then so be it.

Patches

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-05-24 15:55 UTC] imajes@php.net
> Why not just have php.exe call the cmd.exe in the system process?

from what i think i understand you're saying here, it does. Remember, php.exe is not a user. nor indeed is IIS. Both run under the user of IUSR_*. This is inbuilt microsoft security, and to be honest, trying to work around that would be a: one hell of a hack, and b: much less secure.

we don't want to be adding security holes here.

and as far as your nimda reference goes -- have you noticed that nimda et al all require a script on the webserver to exploit?

the reason this hasn't happened with php (yet) is because we don't distribute too many scripts with our binary. So, there is no guarantee of the existance of a script, like there is with IIS's install layout.

i understand how you would feel this is a bug, but realisitically, for the most safety we have to build PHP as an unprivileged binary. Anymore, and it would be too  dangerous to even consider using php -- or any other scripting engine, for that matter.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Sep 08 23:01:28 2024 UTC