PHP command injection without $_POST or $_GET?

Hey all!

I'm learning about static PHP code analysis and I'm wondering if the following PHP code snippet might be vulnerable to an injection. OWASP's 'ASST' scanner says it likely is, but scanners can be finicky, so I thought I'd ask some experts. I'm having a really hard time finding a single example of non-POST or GET PHP injections that aren't something like HOSTNAME – are there even any other possible injection vulns outside of those?

ASST says the $df variable is vulnerable to command injection… I don't think that it is. All of the other variables are defined above this snippet of code, so no luck there.

foreach ($partitions as $partition) { $part = $partition[4]; if (strpos($part, $drive) !== FALSE) { $df = array(); exec('df /dev/' . $part, $df); if (@preg_match('#\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)%\s+(.*)#', $df[1], $matches)) { $this->{$drive}->used += $matches[2] * 1024; $this->{$drive}->percentage = $this->{$drive}->used / $this->{$drive}->size * 100; if ($matches[2] == 0 && $part == 'vda') { # assume main drive $df = array(); exec('df /', $df); if (@preg_match('#\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)%\s+(.*)#', $df[1], $matches)) { $this->{$drive}->used += $matches[2] * 1024; $this->{$drive}->percentage = $this->{$drive}->used / $this->{$drive}->size * 100; } } } } } 

Thoughts? Thank you!

Touch here for the full post on Network Security Noblemen tumblr

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s