PHP :: Bug #17416 :: using exec

Bug #17416	using exec
Submitted:	2002-05-24 15:22 UTC	Modified:	2002-05-24 16:30 UTC
From:	zony at zonehomes dot com	Assigned:
Status:	Not a bug	Package:	*Directory/Filesystem functions
PHP Version:	4.2.1	OS:	Windows 2000 IIS 5 SP2
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !

Your email address: MUST BE VALID
Solve the problem: 3 - 1 = ?
Subscribe to this entry?

[2002-05-24 15:22 UTC] zony at zonehomes dot com

Why not just have php.exe call the cmd.exe in the system process? I'd recommend allowing a choice. Either pass the logged on user or let php handle exec() in the system process (default behavior). One already allows IUSR permissions to php.exe.

That way you wouldn't have to worry about requests like this (all the nimda variants et al):
'/scripts/..%c1%1c../winnt/system32/cmd.exe'

Coming from the Microsoft world of programming for the past 9 years I see this as a bug. If you see it as a feature request, then so be it.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2002-05-24 15:55 UTC] imajes@php.net

> Why not just have php.exe call the cmd.exe in the system process?

from what i think i understand you're saying here, it does. Remember, php.exe is not a user. nor indeed is IIS. Both run under the user of IUSR_*. This is inbuilt microsoft security, and to be honest, trying to work around that would be a: one hell of a hack, and b: much less secure.

we don't want to be adding security holes here.

and as far as your nimda reference goes -- have you noticed that nimda et al all require a script on the webserver to exploit?

the reason this hasn't happened with php (yet) is because we don't distribute too many scripts with our binary. So, there is no guarantee of the existance of a script, like there is with IIS's install layout.

i understand how you would feel this is a bug, but realisitically, for the most safety we have to build PHP as an unprivileged binary. Anymore, and it would be too  dangerous to even consider using php -- or any other scripting engine, for that matter.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Apr 18 23:01:27 2024 UTC