fsockopen to user-entered IP address - security concern

Question

I'm currently building a website that allows people who own a server for an online video game to better control their server without typing in console commands. In order to do this, the user enters their game server's IP address and port, and my script attempts to make a tcp connection using fsockopen(). It then sends a command (using the source server query protocol) using fwrite and listens for the expected response.

So far the functionality is working beautifully but I'm concerned about allowing an fsockopen connection to literally any address. For security, what could happen if the user has full control over the connecting server? Is there any code execution or other serious concerns I should be aware of?

Thank you very much.

Answer 1

The issue probably is not so much that your server could get compromised, simply reading values off a socket is safe in PHP, unless PHP itself has got a bug.

I would rather be concerned about arbitrary users being able to connect to any service on the internet. Depending on how you implemented it your machine could be used to send out spam, to help in a DDoS or other kind of attacks.

So:

• Disallow certain ports to be entered (Everything < 1024 is a “well known” port)
• Disallow certain IP ranges (such as 10/8, 127/8)
• Disallow anything else that cannot be a sane value
• Rate limit it
• Keep track of the actions execute in case your machine is used for something malicious