We have an IRC application for Java, where users are allowed to execute arbitrary PHP and get the result. Here is one example of what this is used for:
btc: <php>$btc = json_decode(file_get_contents('https://btc-e.com/api/2/1/ticker'), true); $ticker = $btc['ticker']; echo "Current BTC Ticker: High: $".$ticker['high']." Low: $".$ticker['low']." Average: $" . $ticker['avg'];
We also have python customization, but we like PHP because PHP doesn't need new characters in the code anywhere. (Since this is an IRC, we cannot give it new lines unless we execute the downloaded .py web file)
The problem is how to prevent people from trying to use the system, for example, in:
<php>echo readfile("/etc/passwd");
That, obviously, would read the passwd file for everyone to see.
We also have this problem after we tried to block readfile ():
<php>$rf = readfile; echo $rf("/etc/passwd");
How should we protect this system? (The full code is on github, for anyone interested: https://github.com/clone1018/Shocky )
On the sidelines, no real confidential information is disclosed, since all this is in a virtual machine, so this is not a “temporary bomb” or anything else. We still want to block it.
source share