Discussion:
Help with Security
(too old to reply)
chirag sharma
2013-07-04 09:16:21 UTC
Permalink
I have created an online PHP code executor at http://web.guru99.com
Though I have checked all security aspects … do you experts see any major flaw that I need to care of?
c***@gmail.com
2015-07-07 02:15:35 UTC
Permalink
Hi Chirag,
I am pretty new to posting to this list, but I am not sure that your message belongs on this particular group, since I don't see its relevance to win32 kernel programming. I also haven't written PHP before, but I do see some problems.
Post by chirag sharma
I have created an online PHP code executor at http://web.guru99.com
Though I have checked all security aspects ... do you experts see any major flaw that I need to care of?
Did you sandbox the php readfile?

<?php
readfile("../../../../../../etc/passwd");
?>

Did you ensure that PATH does not contain executables you would like to run, and also chroot the process so it cannot explicitly specify the path for a system command?

<?php
system("whoami");
?>

Your page allows cross-site scripting (XSS).

<?php
print "<script>alert('XSS')</script>";
?>

Anyway, I hope this helps. You may wish to try running some of the PHP security scanners to find other problems than my ad-hoc testing.
Loading...