If you made these mistakes you'll have made others - get guidance from someone who knows what they're doing and have them audit your whole system.
--- âLanie, Iâm going to print more printers. Lots more printers. One for everyone. Thatâs worth going to jail for. Thatâs worth anything.â - Printcrime by Cory Doctrow Please avoid sending me Word or PowerPoint attachments. See http://www.gnu.org/philosophy/no-word-attachments.html On Mon, Jun 1, 2015 at 6:31 PM, Okupandolared <kan...@darkmail.mx> wrote: > thank you all for the support, > > I think in another way, as well sanitize my form. > > maybe python goes outside the chroot. > > Thanks again > > On 06/01/15 10:21, Sebastien Marie wrote: > > Hi, > > > > Just to report how it is a bad idea... at least two sql injection and > > one shell injection in your files. > > > > On Mon, Jun 01, 2015 at 11:49:39AM -0500, Okupandolared wrote: > >> Hi, > >> > >> I have an web form. > >> > >> I need send of webform to script bash > >> > >> webform.html --> PHP proces --> create.sh > >> > >> create.sh > >> #!/bin/ksh > >> # Create user > >> > >> echo "hi!! your pass $1" > >> crypted="$(echo -n "$1" | smtpctl encrypt )" > >> maildir="$3/$2/" > >> echo -e "$2@$3" >> recipients > >> echo -e "$2@$3\t$crypted" >> credentials > >> echo "ejabberdctl register $2 $3 $1" > >> echo "INSERT INTO mails (userid, domain, password, maildir) VALUES > >> ('$2', '$3','$crypted', '$maildir');" | mysql -umyuser -mypass mail; > > > > sql injection on $2 and $3 as "'" isn't escaped by antiyec function > > > >> example php > >> <?php > >> function antiyec($data) { > >> $data = trim($data); > >> $data = stripslashes($data); > >> $data = htmlspecialchars($data); > >> return $data; > >> } > >> $user = antiyec($_POST['user']); > >> $frase1 = antiyec($_POST['pass']); > >> $domain = antiyec($_POST['dom']); > >> > >> $out = shell_exec('ksh create.sh $frase1 $user $domain'); > > > > shell injection on user, pass and dom variables, as ";" isn't escaped by > > antiyec function > > > >> echo "<pre>$out</pre>"; > >> ?> > >> > >> > >> On 06/01/15 08:50, Gareth Nelson wrote: > >>> Everyone is missing the bigger picture here: > >>> > >>> Why is a PHP script calling the shell? 9 times out of 10, that's a bad > idea > >>> and things should be redesigned so that it's not needed. > >>> > > > > yes it is a bad idea.
