Built-in unauthenticated remote code execution.
Oh, i would never actually eval() anything that i get over the internet. I don't even use filepaths directly to avoid path exploits. I pre-cache the available files either in RAM or in the database; when a request comes in i basically use defined() to check if that key exists.
In the case of command handling, i'd basically do the same. "Is that text after "eval " in my cache? No, then ignore the command, else return the static text from the hash.
There is pretty much exactly ONE case where i have to run user provided code. That thing run server side JavaScript in a JavaScript::Embedded sandbox, inside a sandboxed virtual machine. And every call and every code change is logged and the logs send to a second server (one way communication). And if the server detects any funny business, the source IP is automatically firewalled. I'm not taking any chances.
Oh sure, my system might still have remote exploits (pretty much every server software does), but i take great care to prevent any potential attack vectors using defense-in-depth design choice and not trusting the client in the slightest. The thing certainly isn't perfect, but my software has now run 15+ years on the net, and so far i haven't had a break-in or even a javascript injection.
Taint mode
That's one thing i don't use. Not explicitely, anyway. I treat every user input as tainted, but my software doesn't technically support taint mode.
|