[nycphp-talk] shell_exec security pitfalls?
CED
Consult at CovenantEDesign.com
Wed Jul 18 21:32:14 EDT 2007
What is meant is that a shell/terminal session pops up to run the command,
and a person on the terminal could see it running.
-Ed
----- Original Message -----
From: "Dell Sala" <dell at sala.ca>
To: "NYPHP Talk" <talk at lists.nyphp.org>
Sent: Wednesday, July 18, 2007 9:20 PM
Subject: [nycphp-talk] shell_exec security pitfalls?
> Hi all,
>
> I'm doing some research on using GPG from PHP to encrypt sensitive
> data that will be stored server-side. I came across an old but good
> article:
>
> http://devzone.zend.com/article/1265-Encryption-and-Decryption-using-
> PHP-and-GnuPG
>
> Decryption example from article:
> > $gpg = '/usr/bin/gpg';
> > $passphrase = 'My secret pass phrase.';
> > $encrypted_file = 'foo.gpg';
> > $unencrypted_file = 'foo.txt';
> > echo shell_exec("echo $passphrase | $gpg --passphrase-fd 0
> > -o $unencrypted_file -d $encrypted_file");
>
> They did mention one pitfall related to using shell_exec:
>
> http://devzone.zend.com/article/1265-Encryption-and-Decryption-using-
> PHP-and-GnuPG#Heading7
>
> Quoted from the article:
> > A second pitfall is in the use of PHP's shell_exec() statement.
> > Since you are executing a shell command the passphrase is available
> > for all to see due to having to echo it.
>
> How is it available for all to see? Are all shell commands called
> from PHP logged somewhere public? This didn't seem right to me, but
> maybe I'm missing something. Anyone know what they mean by "available
> for all to see"? Thanks!
>
> -- Dell
>
>
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php
>
>
More information about the talk
mailing list