Hi,
Just to report how it is a bad idea... at least two sql injection and
one shell injection in your files.
On Mon, Jun 01, 2015 at 11:49:39AM -0500, Okupandolared wrote:
> Hi,
>
> I have an web form.
>
> I need send of webform to script bash
>
> webform.html --> PHP proces --> create.sh
>
> create.sh
> #!/bin/ksh
> # Create user
>
> echo "hi!! your pass $1"
> crypted="$(echo -n "$1" | smtpctl encrypt )"
> maildir="$3/$2/"
> echo -e "$2@$3" >> recipients
> echo -e "$2@$3\t$crypted" >> credentials
> echo "ejabberdctl register $2 $3 $1"
> echo "INSERT INTO mails (userid, domain, password, maildir) VALUES
> ('$2', '$3','$crypted', '$maildir');" | mysql -umyuser -mypass mail;
sql injection on $2 and $3 as "'" isn't escaped by antiyec function
> example php
> <?php
> function antiyec($data) {
> $data = trim($data);
> $data = stripslashes($data);
> $data = htmlspecialchars($data);
> return $data;
> }
> $user = antiyec($_POST['user']);
> $frase1 = antiyec($_POST['pass']);
> $domain = antiyec($_POST['dom']);
>
> $out = shell_exec('ksh create.sh $frase1 $user $domain');
shell injection on user, pass and dom variables, as ";" isn't escaped by
antiyec function
> echo "<pre>$out</pre>";
> ?>
>
>
> On 06/01/15 08:50, Gareth Nelson wrote:
> > Everyone is missing the bigger picture here:
> >
> > Why is a PHP script calling the shell? 9 times out of 10, that's a bad idea
> > and things should be redesigned so that it's not needed.
> >
yes it is a bad idea.
--
Sébastien Marie
