Hacker News new | comments | ask | show | jobs | submit login
Exploit/bypass PHP escapeshellarg/escapeshellcmd functions (security.szurek.pl)
19 points by josephscott 9 months ago | hide | past | web | favorite | 5 comments

The title on this seems pretty misleading.

This is really a guide on how to use the escapeshellarg when you should use escapeshellcmd (or the opposite). Of course, the API of system() is pretty awful, so there is an issue here in the form of "wow, PHP makes this really easy to mess up," but there's no actual exploit in either function mentioned. Just exploits in code people write using them. I guess the LANG one is arguably an actual exploit though, though that gets into arguing semantics.

Edit: there's also an example that is missing quotes around an argument. Again, something very easy to mess up, but that's what you get when you have a function that is basically like typing a line into the shell.

Actually, the mentioned GitList exploit hinges on yet another vulnerability: lack of distinction of command-line flags and arguments. Where user expected to put "normal" name (say a-zA-Z0-9), attacker actually supplied --flag=exploit.

I'm confused how a list of clever ways to get executables to initiate other executables is somehow an "exploit" of a programming language offering a system(3) call?

How about we just don't run system calls, especially none that contain any amount of user input.

Ah yes, "PHP "security"". Yes, untrusted user input going to the shell is a bad idea, even when "sanitized".

Of course, unlike other saner languages, bypassing the shell isn't always an option. When running under Apache, pcntl_exec() isn't available, so you just gotta hope rely on escapeshellarg(), addbackslashes(), and prayer.

You should be running your application code in some sort of sandbox anyway, to minimize the data available to an attacker in the event of privilege escalation.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact