php - inject code into $_SERVER['REMOTE_ADDR'] ?

From: Christophe Vandeplas (christophe_at_vandeplas.com)
Date: 01/31/05


Date: Mon, 31 Jan 2005 16:43:28 +0100


Hello

I am coding a kind of weblogin system that adapts the firewall of a
gateway for logged users so that they can access another network.

to adapt the firewall I made a simple script, let's call it
firewallAuth. This script needs 1 argument, the ip that needs to be
added in the firewall.

Now the only way to do this in php is to use the 'exec()' function.
The ip of the user is stored in $_SERVER['REMOTE_ADDR'].
To get root rights (I need them to adapt my firewall) i use sudo. (the
php user can only run the firewallAuth command with sudo)

So I just do this in php code:
exec("sudo /home/firewall/firewallAuth ".$_SERVER['REMOTE_ADDR']);

My question is now: is there any (known) way for a user to inject sode
into this _SERVER global? or am I not-to-unsafe to use it?

 
Thanks for the comments.

-- 
-------------------------------------
Christophe 'ElCascador' Vandeplas
GSM: +32 (0)486/64.10.33
email: christophe(at)vandeplas(dot)com
http://www.vandeplas.com
GnuPG:1024D/14913897: 66BD A9EB 0357 D80F 20D4  D698 3B2B E562 1491 3897
-------------------------------------
*** PLEASE ***
"Never send mass-mails/forward to this email address.
 Please add the email-address to the BCC field (Blind Carbon Copy)
 or send the mail separately to me."comp.os.linux.security
-- 
-------------------------------------
Christophe 'ElCascador' Vandeplas
GSM: +32 (0)486/64.10.33
email: christophe(at)vandeplas(dot)com
http://www.vandeplas.com
GnuPG:1024D/14913897: 66BD A9EB 0357 D80F 20D4  D698 3B2B E562 1491 3897
-------------------------------------
*** PLEASE ***
"Never send mass-mails/forward to this email address.
 Please add the email-address to the BCC field (Blind Carbon Copy)
 or send the mail separately to me."




Relevant Pages

  • php - inject code into $_SERVER ?
    ... The weblogin system is written in php4 on a apache2 webserver running on a debian system. ... to adapt the firewall I made a simple script, ... Now the only way to do this in php is to use the 'exec' function. ... To get root rights (I need them to adapt my firewall) i use sudo. ...
    (SecProg)
  • RE: LAMP on RHEL 5 (Server)
    ... Is there a straightforward way to upgrade PHP without messing with the dependencies too much? ... LAMP on RHEL 5 ... the issue was the firewall settings - running 'service iptables stop' disabled the firewall and allowed me to access the server from an external machine. ...
    (RedHat)
  • Re: Restricting access to a website
    ... If, for example, my website is www .lahdedah. ... Yes or no would do and a PHP ... It can all be done in the Apache ... work on a shared server for a number of reasons - like he doesn't have access to the firewall configuration and the firewall is web host blind - it doesn't know that the request should be restricted only for one of the sites on the server, ...
    (comp.lang.php)
  • Re: PHP as web proxy ?
    ... > I need to use a PHP app as a sort of a web proxy ... > I have a mailserver with own web server and web interface. ... similarly to this I am behind a firewall here at work.... ... connecting to an IMAP server where the IMAP ports are blocked on the ...
    (comp.lang.php)
  • Re: PHP as web proxy ?
    ... > I need to use a PHP app as a sort of a web proxy ... > I have a mailserver with own web server and web interface. ... similarly to this I am behind a firewall here at work.... ... connecting to an IMAP server where the IMAP ports are blocked on the ...
    (comp.lang.php)