0

Referring to a comment from someone on the question here:

While it is possible to make the script commands safe, a common attack vector is to upload a malicious script and use exec and similar functions to hack the server. As such, many shared hosting environments disable this and any other function that can run a shell argument.

Is this true? Is my server in risk of being attacked simply because I enable the php scripts to run the exec() method?

What can I do to prevent hackers from uploading files on my server? Or are there any other countermeasure that allows me to use the exec method safely?

Improve this question
1
  • The main worry about exec() is that you accept user input and integrate it into the command in some fashion. If you do not untaint or validate it carefully, you could end up running a destructive command that you would not wish to allow. Commented Jan 10, 2020 at 13:11

1 Answer 1

Reset to default
1

As long as you don't have a method for allowing users to upload files, you should be fine.

The way hackers would do this is uploading a .php file with a malicious exec(), then open the file via a web browser, thus executing the PHP code in the file, along with the exec() method.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.