Forums

Most Dangerous Block on the Planet

Permalink
I needed a block that I could execute bash, perl, python, etc... scripts (mysqltuner.pl at first), so I used ND's php code block and modified it to use php's exec function. VERY VERY Dangerous and should be used with extreme caution! I will submit it to the market place for free if there is any interest. It has been tested on linux only, but should work with any operation system. Any brave souls willing to give it a try? See attached.

*EDIT* I removed the package from this post. If you would like to look at it just "shoot me a note".

1 Attachment

nteaviation
 
Phallanx replied on at Permalink Reply
Phallanx
Yeah. I'm brave (stupid) enough.

Works on windows as well.

Small suggestion:
if ($csresult) 
   foreach ($csarray as $s) echo $s;
   else
   echo ("Command Failed");
nteaviation replied on at Permalink Reply
nteaviation
Yea I was planning on doing that. I like your way of doing it :)
--
Sent from my mobile phone.


Concrete5 Community <discussions@concretecms.com> wrote:
Mnkras replied on at Permalink Reply
Mnkras
I really don't think that this should be in the MP (I don't even think that the php block should be in there)

its just inviting someone to hack the site,

you should either make a block, single_page, or pagetype that does this stuff.
nteaviation replied on at Permalink Reply
nteaviation
I am all ears. I will look into the single page and page type options. For me, I run my own servers so hacking is very difficult and less of a concern.
--
Sent from my mobile phone.


Concrete5 Community <discussions@concretecms.com> wrote:
nteaviation replied on at Permalink Reply
nteaviation
Mnkras: So you are saying is to make a "stand-alone block" for each application, for example one for mysqltuner.pl. You would not allow any user input into the block add/edit and automatically set up the " path/mysqltuner.pl parmameters" (aka $content) database entry that is used by the php exec($content) function. Or easier yet, just have the user enter the path to mysqltuner.pl via block add/edit and hardcode it as exec($content."/mysqltuner.pl --nocolor etc...").

Doing it on a per application basis creates the possibility of hundreds/thousands of already pre-written scripts to populate the MP as standalone blocks/pages/page types.

Just wondering...

JK
nteaviation replied on at Permalink Reply
nteaviation
I pulled this package from the post until further review. Let me know if you have an interest and I will shoot you a copy.
Mnkras replied on at Permalink Reply
Mnkras
Well using that block someone could jack the whole file system, they could
create malicious files using it also, where if you have a block, they can't
change the code to be malicious. You can submit it, but it's andrew and
franz's choice

Mike
On May 13, 2011 11:54 AM, "Concrete5 Community" <discussions@concretecms.com>
wrote:
nteaviation replied on at Permalink Reply
nteaviation
I agree. That's why I pulled it. If a novice got a hold of it they could easily run a very dangerous command (for example: rm -r /*). For the experts (that have a bunch of bash, perl and python scripts), it opens up the entire programming platform to them and provides an API that could greatly enhance C5's MP.
Seems like we are "Darned if you do and darned if you don't" in regard to novice safety and expert free-reign.

These are the kind of programming challenges that I love. I am confident that somewhere in the middle is a viable solution that both the C5 community and myself will find useful.

I will keep this little jem in my arsenal and provide it to others on a "case by case basis".