Question
I have a hacked Joomla site and ran a program called jamss which identifies possible security threats. One of the recommendations says:
Pattern #23 - shell command execution from POST/GET variables --> found 1 occurence(s) in file ./xxx/xxx/index.php
Details: "Found direct shell command execution getting variables from POST/GET, which is highly dangerous security flaw or a part of malicious webrootkit"
Line #: 12
But I don't understand what that means. The code is referring to this line:
https://stackoverflow.com/questions/21636195
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russiandefined('_JEXEC') or die('Restricted access'); <----------------------
$url = clone(JURI::getInstance());
$path = $this->baseurl.'/templates/'.$this->template;
$rel_path = $this->baseurl.'/images/stories/';
And I don't see any POST or GET variables there. Does anyone know why this line of code would be considered a security flaw?
Thanks
Solution
JAMSS rule #23 checks for these php functions:
exec|passthru|shell_exec|system|proc_|popen
if any is present in the script, the alert [23] will be triggered. Possibly JAMSS doesn't report the correct line or filename, but simply run a
grep -rE "(?:exec|passthru|shell_exec|system|proc_|popen)[\w\W\s/\*]*\([\s/\*\#\'\"\w\W\-\_]*" .
on the command line and you should see the actual files and the line numbers. Careful: you'll also get some extra false positives.
