From: [EMAIL PROTECTED] Operating system: Windows .Net Server 2003 RC2 PHP version: 4CVS-2002-12-11 (dev) PHP Bug Type: IIS related Bug description: PHP shell functions always call cmd.exe - potential security issue
Windows.Net Server 2003 has instituted a new security measure that causes problems with any of the shell related functions in PHP. Windows.Net Server changes the ACL's on EXE's in the %windir%\system32 subdirectory. In particular CMD.EXE can no longer be executed by the "anonymous" user account (ie, IUSR_COMPUTERNAME)--there is a specific Deny ACL created by the Windows.Net Server installer. Since PHP calls CMD.EXE to execute any external shell program PHP requires that CMD.EXE be reconfigured for anonymous access anytime a PHP page needs to call an external program. This design is no longer a good idea because PHP forces the web administrator to open up a potential security hole in the system by re-enabling access to CMD.EXE. The shell functions in PHP should call the application directly instead of always calling CMD.EXE? If the PHP programmer wants to call a feature of the CMD intreperter then he should be forced to call the shell command like `CMD /C dir *.*`; Only then would the administrator be required to allow access to the command intreperter. Please consider this modification as it will make Windows.Net Server more secure when running PHP. Or at least add configuration option to PHP.INI that will modify the behavior of the shell functions to no longer directly call CMD.EXE Thank you! -- Edit bug report at http://bugs.php.net/?id=20951&edit=1 -- Try a CVS snapshot: http://bugs.php.net/fix.php?id=20951&r=trysnapshot Fixed in CVS: http://bugs.php.net/fix.php?id=20951&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=20951&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=20951&r=needtrace Try newer version: http://bugs.php.net/fix.php?id=20951&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=20951&r=support Expected behavior: http://bugs.php.net/fix.php?id=20951&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=20951&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=20951&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=20951&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=20951&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=20951&r=dst IIS Stability: http://bugs.php.net/fix.php?id=20951&r=isapi
