Help with Security

40 views
Skip to first unread message

chirag sharma

unread,
Jul 3, 2013, 3:49:29 AM7/3/13
to se...@googlegroups.com

I have created an online PHP code executor at http://web.guru99.com

Though I have checked all security aspects … do you experts see any major flaw that I need to care of?

Timo

unread,
Jul 3, 2013, 4:10:52 AM7/3/13
to se...@googlegroups.com
Hi,

how did you design the concept? Is the system based on blacklisting of possibly dangerous commands? Is the PHP code executed on a chrooted enviroment etc?

It is hard to say after such a quick look I took, but it would be easier if the source code was available for review (with some kind of commentary related to the design of the system).

If you are on an environment where you can not get a real virtualbox/chrooted foundation for the user submitted PHP code, I suggest you might want to take a look at: http://www.reddit.com/r/PHP/comments/19bfhz/phpsandbox_an_open_source_class_for_creating/

Timo


2013/7/3 chirag sharma <chiragsha...@gmail.com>

I have created an online PHP code executor at http://web.guru99.com

Though I have checked all security aspects … do you experts see any major flaw that I need to care of?

--
You received this message because you are subscribed to the Google Groups "PHP Security Technical Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sectg+un...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

Adam Shaw

unread,
Jul 3, 2013, 2:06:03 PM7/3/13
to se...@googlegroups.com
What you're trying to do is very hard in general.
I was able to file_get_contents your exec.php. After looking at the code you use to execute the code I really think you should consider doing something other than raw eval-ing user submitted strings.
Exec was turned off, but I can still scandir your root and walk through reading files however I want (unlink also works... eek!).

If you 100% have to have this functionality (I would argue that you don't) I would either setup php in safemode or (much more safely) look at client-side options:

MattParker

unread,
Jul 4, 2013, 7:19:49 AM7/4/13
to se...@googlegroups.com
And having just skimmed the tutorial on security, there might be some more comments from this group on the content, too.

There's an earlier thread in this group about password hashing you might want to review, and update that section.  The sql injection section might want to recommend parameterised queries.

In your definition of security I'd also expect to see something about availability.

I'd also expect to see something about CSRF and salting forms.

Hope that's helpful,

Matt
Reply all
Reply to author
Forward
0 new messages