I understand security risks and input validation etc. I'm looking for a short and quick proof of concept script. This would be on a linux system, I assume PHP would be easiest but if you can do it in html or JS easier by all means....
I want a web page with two buttons, one starts the telnet service, and another shuts it off. Maybe even a label that shows the current status of said service at page load time if you want to go the extra mile.
This script isn't going to be used live, i'm using it to wrap my head around php security layers.
I'm not sure if: php can/should directly execute the service start/stop command. Or should there be two scripts, one to start, and one to stop the service, and the php buttons just kick off the scripts. If so I assume that the scripts should remain in a non-web readable directory with read-only permissions.
Thanks for your time!
Happy coding!
Yes, I know telnet is unsecure. I just picked that service at random. It's the method here that i'm after, not the use.
I've read up on the exec, most examples have it echoing a file for example. I'm looking to kick off a file in the background, either directly, or through a script file. I figure the script file would be more secure, however if the script file runs with the same permissions as php_server than it really doesn't matter.
The point of my test case is to have php perform a 'root' function, with as little chance as possible of corruption. (IE; no user input but a stop/go button)
I've seen php pages crash horribly and dump php script back to the browser, really bad if you have plain text passwords hardcoded in your php (which I don't have).
Before someone corrects me, yes, I know php_server is wrong on many levels. php is a language not a server, I'm using apache as myweb server in this instance. I'm not sure if php scripts kicking off a file would run under a php userid, apache). It obviously wouldn't be prudent to have the script escelate it's UID to root.
Thanks for the suggestions GP, but this really is just a simple proof of concept app, a .php page with 2 buttons, and the code to be called by the buttons (that turn a service on and off).
I want a web page with two buttons, one starts the telnet service, and another shuts it off. Maybe even a label that shows the current status of said service at page load time if you want to go the extra mile.
This script isn't going to be used live, i'm using it to wrap my head around php security layers.
I'm not sure if: php can/should directly execute the service start/stop command. Or should there be two scripts, one to start, and one to stop the service, and the php buttons just kick off the scripts. If so I assume that the scripts should remain in a non-web readable directory with read-only permissions.
Thanks for your time!
Happy coding!
Yes, I know telnet is unsecure. I just picked that service at random. It's the method here that i'm after, not the use.
I've read up on the exec, most examples have it echoing a file for example. I'm looking to kick off a file in the background, either directly, or through a script file. I figure the script file would be more secure, however if the script file runs with the same permissions as php_server than it really doesn't matter.
The point of my test case is to have php perform a 'root' function, with as little chance as possible of corruption. (IE; no user input but a stop/go button)
I've seen php pages crash horribly and dump php script back to the browser, really bad if you have plain text passwords hardcoded in your php (which I don't have).
Before someone corrects me, yes, I know php_server is wrong on many levels. php is a language not a server, I'm using apache as myweb server in this instance. I'm not sure if php scripts kicking off a file would run under a php userid, apache). It obviously wouldn't be prudent to have the script escelate it's UID to root.
Thanks for the suggestions GP, but this really is just a simple proof of concept app, a .php page with 2 buttons, and the code to be called by the buttons (that turn a service on and off).