#4467 (ok 4.2.5) shell_exec() has been disabled for security reasons

4.2.4
fixed
None
1
2014-06-26
2014-06-20
azurIt
No

This warning is displayed on every SQL result page (see attachment). This wasn't happening before - why it needs to run shell_exec at all?

1 Attachments

Discussion

1 2 > >> (Page 1 of 2)
  • Marc Delisle

    Marc Delisle - 2014-06-20

    Hi,
    Where did you download your 4.2.3 version? The error lines you are showing, do not match the code in the official 4.2.3 release.

     
  • azurIt

    azurIt - 2014-06-20

    Directly from your sorceforge site - i still have the bz2 archive (attaching). According to modification time, it wasn't modified since i downdloaded it on 9.6. at 00:47 (also all phpmyadmin files).

     
  • azurIt

    azurIt - 2014-06-20

    I tried to redownload and reinstall phpmyadmin and warnings persists.

     
  • Marc Delisle

    Marc Delisle - 2014-06-20

    Is your server SunOS ? The only place we are calling shell_exec() is in libraries/sysinfo.lib.php, which is called from Monitor. You may try to deactivate the lines inside the _kstat() function of this file.

    However, you can have a look at DisplayResults.class.php line 2044, which does not call shell_exec().

     
  • azurIt

    azurIt - 2014-06-20

    Debian Wheezy 64bit. I tried to comment it and warninigs are still there. This is line 2044 from ./libraries/DisplayResults.class.php:
    $clause2 = $sort_tbl . str_replace('`', ``, $clause);

    This is really strange. I also tried to grep 'shell_exec' and it was found only in libraries/sysinfo.lib.php as you said (but it can be encoded somewhere so it cannot be grepped). Any hints?

     
  • Marc Delisle

    Marc Delisle - 2014-06-20

    Try closing all browser windows, open the browser, log in via phpMyAdmin and only try to browse the table in question.

     
  • azurIt

    azurIt - 2014-06-20

    Didn't help, i also tried to remove all cookies and use different browser.

     
  • Marc Delisle

    Marc Delisle - 2014-06-20

    Maybe disable any opcode caching or unusual PHP extension.

     
  • azurIt

    azurIt - 2014-06-20

    The strange it that when i include this in phpmyadmin apache config:

    php_admin_flag log_errors on
    php_admin_value error_log /usr/share/phpmyadmin/PHP_errors.log
    php_admin_value error_reporting 32767

    nothing is logged as no warnings were raised from PHP (yes, file permissions are ok).

     
  • azurIt

    azurIt - 2014-06-20

    There is no opcode cache, attaching phpinfo. I also tried to restart memcached server, didn't help.

     
  • Marc Delisle

    Marc Delisle - 2014-06-20

    Are you sure that the directory where you installed phpMyAdmin is the one from which you are running it? You may try adding some message to index.php, to see if it shows up.

     
  • azurIt

    azurIt - 2014-06-20

    yes, i'm 100% sure (but i also checked it)

     
  • azurIt

    azurIt - 2014-06-20

    The problem is happening from 4.2.0, it's NOT happening in 4.1.14.

     
  • azurIt

    azurIt - 2014-06-20

    still a problem in 4.2.4

     
  • Marc Delisle

    Marc Delisle - 2014-06-20

    As an extreme test, if you rename libraries/DisplayResults.class.php to something else, is there still an error coming from this script?

     
  • azurIt

    azurIt - 2014-06-20

    yes but this:

    Warning in ./libraries/sql.lib.php#2270
    include(libraries/DisplayResults.class.php): failed to open stream: No such file or directory

     
  • azurIt

    azurIt - 2014-06-20

    the error is really raised by that line - if i replace it with:
    $clause2 = '';

    no errors are displayed. really strange

     
  • azurIt

    azurIt - 2014-06-20

    i fixed the error with this:
    $clause2 = $sort_tbl . str_replace('`', '', $clause);

    i replaced "``" with "''". looks really strange, characters "`" are used in the shell to execute commands (everything between them are executed as commands in bash and replaced by output). maybe a PHP bug?

     
    Last edit: azurIt 2014-06-20
  • Marc Delisle

    Marc Delisle - 2014-06-20

    You're right, this looks like a typo.

     
  • Marc Delisle

    Marc Delisle - 2014-06-20
    • assigned_to: Marc Delisle
     
  • azurIt

    azurIt - 2014-06-20

    i suggest to check if there isn't somewhere something like `$user_input`, it could be really dangerous.

     
  • Marc Delisle

    Marc Delisle - 2014-06-20
    • summary: shell_exec() has been disabled for security reasons --> (ok 4.2.5) shell_exec() has been disabled for security reasons
    • status: open --> resolved
    • Group: 4.2.3 --> 4.2.4
    • Priority: 5 --> 1
     
  • azurIt

    azurIt - 2014-06-20

    thank you!

     
1 2 > >> (Page 1 of 2)

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

JavaScript is required for this form.





No, thanks