PHP provides different functions which when called allow shell code execution on the server. This is a list of functions which are used for shell command execution:
– system: Executes a command and returns its output
– shell_exec: Executes a command and displays the output immediately
– passthru: Executes a command and displays the raw output –
– backtick operator (“): Executes contents inside the backtick as a shell command
– popen: Executes a command and returns a pointer
– exec: Executes a command and returns the last line of the output
– pcntl_exec: Executes a command or a program
– proc_open: Similar to popen()
Remote Code Execution (RCE) or also known as Command injection in terms of the web application attacks, can be possible to a certain website accepts added strings of characters or arguments; the inputs are used as arguments for performing the command in the website’s hosting server.
This vulnerability is one of the common web application vulnerabilities that enables an attacker to perform arbitrary codes in the system. The RCE also included in OWASP (Open Web Application Security Project) Top Ten Web Application Security Risks.
In the event where code evaluation is necessary, it is important for any user input to be very heavily validated, with as many limitations as possible on the inputted data.