thank you all for the support,
I think in another way, as well sanitize my form.
maybe python goes outside the chroot.
Thanks again
On 06/01/15 10:21, Sebastien Marie wrote:
> Hi,
>
> Just to report how it is a bad idea... at least two sql injection and
> one shell injection in your files.
>
> On Mon, Jun 01, 2015 at 11:49:39AM -0500, Okupandolared wrote:
>> Hi,
>>
>> I have an web form.
>>
>> I need send of webform to script bash
>>
>> webform.html --> PHP proces --> create.sh
>>
>> create.sh
>> #!/bin/ksh
>> # Create user
>>
>> echo "hi!! your pass $1"
>> crypted="$(echo -n "$1" | smtpctl encrypt )"
>> maildir="$3/$2/"
>> echo -e "$2@$3" >> recipients
>> echo -e "$2@$3\t$crypted" >> credentials
>> echo "ejabberdctl register $2 $3 $1"
>> echo "INSERT INTO mails (userid, domain, password, maildir) VALUES
>> ('$2', '$3','$crypted', '$maildir');" | mysql -umyuser -mypass mail;
>
> sql injection on $2 and $3 as "'" isn't escaped by antiyec function
>
>> example php
>> <?php
>> function antiyec($data) {
>> $data = trim($data);
>> $data = stripslashes($data);
>> $data = htmlspecialchars($data);
>> return $data;
>> }
>> $user = antiyec($_POST['user']);
>> $frase1 = antiyec($_POST['pass']);
>> $domain = antiyec($_POST['dom']);
>>
>> $out = shell_exec('ksh create.sh $frase1 $user $domain');
>
> shell injection on user, pass and dom variables, as ";" isn't escaped by
> antiyec function
>
>> echo "<pre>$out</pre>";
>> ?>
>>
>>
>> On 06/01/15 08:50, Gareth Nelson wrote:
>>> Everyone is missing the bigger picture here:
>>>
>>> Why is a PHP script calling the shell? 9 times out of 10, that's a bad idea
>>> and things should be redesigned so that it's not needed.
>>>
>
> yes it is a bad idea.
