njohnsn
commented
9 years ago Looks like there is a one place where exec() is called (to generate video thumb nail). It needs to be reviewed carefully to prevent OS command execution.
Closed njohnsn closed 9 years ago
njohnsn
commented
9 years ago Looks like there is a one place where exec() is called (to generate video thumb nail). It needs to be reviewed carefully to prevent OS command execution.
ngiddings
commented
9 years ago This is an incredibly serious issue. The unused system functions need to be disabled, and the input to the exec() needs to be sanitized properly. There is a high risk here for intrusion.
Jacob, this is important enough that I'm going to assign it to you. You can have Jordan do any programming that needs done on top of configuration changes. Make sure you have him write the proper checks on input variables to the exec() function.
Use the disalble_functions parameter in the php.ini file to disable the following functions show_source() exec() shell_exec() system() passthru() proc_open() popen()
This will reduce the chance of injected php from executing operating system commands.