exec function in PHP and passthru?

Question

Hello I have a couple questions about PHP exec() and passthru().

1)
I never used exec() in PHP but I have seen it is sometimes used with imagemagick. I am now curious, what is some other common uses where exec is good in a web application?

2)
About 6 years ago when I first started playing around with PHP I did not really know anything, just very basic stuff and I had a site that got compromised and someone setup there own PHP file that was using the passthru() function to pass a bunch of traffic throught my site to download free music or video and I got hit with a 4,000$ bandwidth charge from my host! 6 years later, I know soo much more about how to use PHP but I still don't know how this ever happened to me before. How can someone beable to add a file to my server through bad code?

Answer 1

exec() allows you to use compiled code that is on your server, which would run faster than php, which is interpreted.

So if you have a large amount of processing that needs to be done quickly, exec() could be useful.

Answer 2

1. Use exec or when you want to run a different program.

2. The documentation for passthru says:

Warning

When allowing user-supplied data to be passed to this function, use escapeshellarg() or escapeshellcmd() to ensure that users cannot trick the system into executing arbitrary commands.

Someone had probably found a security hole in your script which allowed them to run arbitrary commands. Use the given functions to sanitise your inputs next time. Remember, nothing sent from the client can ever be trusted.

Answer 3

1] Exec() is really useful when you:

A) Want to run a program/utility on the server that php doesn't have a command equivalent for. For example ffmpeg is common utility run via an exec call (for all sorts of media conversion).

B) Running another process - which you can block or NOT block on - that's very powerful. Sometimes you qant a pcnt_fork though, or similar, along with the correct CL args for non blocking.

C) Another example is when I have to process XSLT 2.0 - I have to exec() a small java service I have running to handle the transformations. Very handy. PHP doesn't support XSLT 2.0 transformations.

2] Damn that's a shame. Well, lots of ways. Theres a family of vulnerability called, "remote file include vulns", that basically allow an attacker to include arbitrary source and thus execute it on your server. Take a look at: http://lwn.net/Articles/203904/

Also, mentioned above, say your doing something like (Much simplified):

exec("someUnixUtility -f $_GET['arg1']"); 

Well, imagine the attacker does, url.come?arg1="blah;rm -rf /", your code will basically boil down to:

exec("someUnixUtility -f blah; rm -rf /");

Which in unix, you separate commands w/the ; So yeah - that could be a lot of damage.

Same with a file upload, imagine you strip the last four chars (.ext), to find the extension. Well, what about something like this "exploit.php.gif", then you strip the extension, so you have exploit.php and you move it into your /users/imgs/ folder. Well, all the attacker has to do now is browse to users/imgs/exploit.php and they can run any code they want. You've been owned at that point.