I have a web page that lets users enter commands and then I am using proc_open()/exec() in php to run these commands on the terminal.
I sent in the command 'whoami' and it returned 'www-data' which represents apache afaik. So is this a security risk, does anyone know what this www-data user is and isn't allowed to do on a system?
I sent in the command 'rm delete_me.txt' to delete a file called delete_me.txt which is stored in a subfolder of the apache document root /var/www/subfolder/ and it wouldn't delete the file, it gave an error saying -
HTML Code:
rm: cannot remove `/var/www/subfolder/delete_me.txt': Permission denied
So that seems pretty promising security wise, considering it won't even let www-data delete files from apaches own document root...
Bookmarks