n1trux
commented
9 years ago enabling shell_exec? This seems risky. Do you use it?
Apart from that: Please create a PR.
Closed joubertredrat closed 9 years ago
n1trux
commented
9 years ago enabling shell_exec? This seems risky. Do you use it?
Apart from that: Please create a PR.
joubertredrat
commented
9 years ago Hi @n1trux I'm PHP developer, don't have risky to use shell_exec with PHP because webserver generally runs as www-data or httpd user, then risky is low. I used this when I search a tool to local monitor my server, today I use PHPSysInfo.
n1trux
commented
9 years ago still with shell_exec you could gain access to files running under the very same httpd/www-data user, which may expose database passwords and other attack vectors.
xetch
commented
9 years ago :thumbsdown: I wouldn't recommend adding an insecure program to the list. @joubertredrat if you care about your security, you should stay away from using this.
joubertredrat
commented
9 years ago Ok, you decide, I will not put.
But shell_exec isn't insecure, applications is. When I need, I use shell_exec without problems, I have applications running since 3, 5, 6 years, this applications uses shell_exec and never had any trouble with this.
Then remember, shell_exec isn't insecure, applications is insecure, It depends on how the application was made.
xetch
commented
9 years ago @joubertredrat I didn't say shell_exec is insecure, it has it's purpose but there is a reason why shell_exec is usually disabled and why it should only be used sparingly.
https://github.com/Kickball/awesome-selfhosted/issues/262