[nycphp-talk] shell_exec security pitfalls?
Dan Cech
dcech at phpwerx.net
Wed Jul 18 21:40:18 EDT 2007
Dell Sala wrote:
> I'm doing some research on using GPG from PHP to encrypt sensitive data
> that will be stored server-side. I came across an old but good article:
>
> http://devzone.zend.com/article/1265-Encryption-and-Decryption-using-PHP-and-GnuPG
>
> Decryption example from article:
>> $gpg = '/usr/bin/gpg';
>> $passphrase = 'My secret pass phrase.';
>> $encrypted_file = 'foo.gpg';
>> $unencrypted_file = 'foo.txt';
>> echo shell_exec("echo $passphrase | $gpg --passphrase-fd 0
>> -o $unencrypted_file -d $encrypted_file");
>
> They did mention one pitfall related to using shell_exec:
>
> http://devzone.zend.com/article/1265-Encryption-and-Decryption-using-PHP-and-GnuPG#Heading7
>
> Quoted from the article:
>> A second pitfall is in the use of PHP's shell_exec() statement. Since
>> you are executing a shell command the passphrase is available for all
>> to see due to having to echo it.
>
> How is it available for all to see? Are all shell commands called from
> PHP logged somewhere public? This didn't seem right to me, but maybe I'm
> missing something. Anyone know what they mean by "available for all to
> see"? Thanks!
There are 2 issues at play here.
As you have mentioned, the passphrase is passed on the command line,
which does make it vulnerable to various attacks. The most basic would
be that it would be visible in the output of 'ps auxfw'.
The other issue is that the decrypted data is written to disk in the
clear, so an attacker could read it directly from the disk.
A much better approach is to use the proc_open function to execute the
process and allow you to provide the passphrase directly to the gpg
process on stdin and read the decrypted data from stdout. This way the
passphrase & cleartext are much less vulnerable to simple sniffing by
other users of the machine.
Dan
More information about the talk
mailing list