views:

1219

answers:

2

Hi,

I have the requirement for a web script to execute an exe file and then return the results on the exe to the web request.

I can either echo back the result of the exe or modify the exe to save it's results to a file, and then read the file to echo back the web request.

The problem is that using php under IIS all exec() shell_execute() system() type functions error out with 'Unable to fork' because the IIS anonymous user IUSER_%COMPUTER_NAME% does not have access to C:\windows\system32\cmd.exe

This can be fixed by changing this IIS anonymous user's permissions for cmd.exe but this is significant security weakening (I believe).

Is there any way I can have by PHP script under IIS call an Exe without opening up cmd.exe to the IIS anonymouse user ?

Help appreciated.

Why do I need to do this ? I have a serial key generator, when somone buys my product via credit card my payment processor needs to call a url passing the license name as a parameter and having a serial number for that license name returned.

My license key generator is WinLicense, which I have an an exe.

I need to run something like

shell_exec("C:\inetpub\wwwroot\test.com\testLicense.exe \"".$regName."\""); // or exec() or system()

(testLicense.exe stores the result in a file which my php script can then echo)

A: 

Why do you need to open CMD.EXE? I know it's your question, but I would like to understand why you need to do that?

toto
For future reference...you should make questions like these comments to the question, not an answer.
Justin Niessner
+1  A: 

Filter the variables you feed to exec() very carefully.

use integers only for numerical information

if it's a filename use file_exists() to confirm it's a real filename

if it's a string use regex and remove characters like ' and " and \ and ; so any commands in it wont run.

Fire Crow