Posted by Toby Inkster on 01/19/07 09:52

PB wrote:

> <?php
> system("babel $data['mol'] -oxyz:struct.xyz -h");
> ?>

Where does the value for $data['mol'] come from? A database? A user? Can
you trust it? What happens if a nasty user finds out a way of setting:

$data['mol'] = '; rm -fr ~; echo';

Then your command becomes:

system("babel ; rm -fr ~; echo -oxyz:struct.xyz -h");

Which is equivalent to running the following:

system("babel");
system("rm -fr ~");
system("echo -oxyz:struct.xyz -h");

Note that the middle command here deletes all your files. I repeat,
DELETES ALL YOUR FILES. It would be possible to substitute in pretty much
any command -- rather than deleting your files, the attacker could do
something less obvious, but equally nasty, such as hijacking your site,
considered trustworthy by its regular visitors, to distribute viruses.

To protect against this, you should use addslashes() to escape the value
of $data['mol'] and then surround it with quote marks. For example:

$cmd = sprintf("babel '%s' -oxyz:struct.xyz -h",
addslashes($data['mol']));
system($cmd);

This will also fix your error, which was caused by trying to interpolate
an array member into a string. When you do that, you must use the curly
brace notation. For example:

<?php
$array['animal'] = 'cat';
echo "It was a $array['animal']."; // Doesn't work
echo "It was a ${array['animal']}."; // Works
echo "It was a {$array['animal']}."; // Works

// printf() is another option:
printf('It was a %s.', $array['animal']);
?>

--
Toby A Inkster BSc (Hons) ARCS
Contact Me ~ http://tobyinkster.co.uk/contact

[Back to original message]