Stack,
I want to scan each file that gets uploaded via my php upload script with clam anti-virus's clamscan tool. I think I've got a good script written but I wanted to run it past you guys.
So assuming that the file I'm sending to this php upload script is named "uploadedfile" does the following code make sense?
<?php
$safe_path = escapeshellarg('/tmp/' . $_FILES['uploadedfile']['tmp_name']);
$command = 'clamscan ' . $safe_path;
$out = '';
$int = -1;
exec($command, $out, $int);
if ($int == 0) {
// all good, code goes here uploads file as normal IE move to
permanent directory etc;
} else {
unlink('/tmp/' . $_FILES['uploadedfile']['tmp_name']);
header(Location: http://www.domain.com/uploadform.php?error=your-file-was-infected-pal);
}
?>
Also, will clamscan find php shells as well as traditional good old malware?
Thanks!
Update - found the answer
I answered my own question but don't have the reputation to officially do so. Here is the anser:
For those who come after. I've tested this script using the EICAR test virus file http://eicar.org/86-0-Intended-use.html and after a few tweaks it works. The return variable $int is what tells you whether or not the file is safe or not. If $int is 0, no virus was found, if $int is 1, a virus was found. However, there are some changes that I had to make the script work (I updated the $safe_path variable to be correct), here is the working script:
<?php
$safe_path = escapeshellarg($_FILES['uploadedfile']['tmp_name']);
$command = 'clamscan ' . $safe_path;
$out = '';
$int = -1;
exec($command, $out, $int);
if ($int == 0) {
// all good, code goes here uploads file as normal IE move to
permanent directory etc;
} else {
//whatever you need to do if a virus is found.
}
?>
Note that if your server runs a clamav daemon (clamd) it may be possible to use clamdscan instead of clamscan as proposed, this usage is faster since use virus signatures already loaded by clamd.
Just be careful. If your clamscan becomes outdated you'll get feedback in the output:
It will look like this:
LibClamAV Warning: ***********************************************************
LibClamAV Warning: *** This version of the ClamAV engine is outdated. ***
LibClamAV Warning: *** DON'T PANIC! Read http://www.clamav.net/support/faq ***
LibClamAV Warning: ***********************************************************
Also depending on the version of clamscan the "result" might look like this (and you'll need to parse it accordingly):
[filename]: OK
----------- SCAN SUMMARY -----------
Known viruses: x
Engine version: x.x.x
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: x.xx MB
Data read: x.xx MB (ratio 0.00:1)
Time: x.xx sec (0 m x s)
I had a lot of trouble with permissions when trying to run this with clamdscan. I found a solution for the permissions problem here: https://wiki.archlinux.org/index.php/ClamAV
This changed this line:
$command = 'clamscan ' . $safe_path;
to:
$command = 'clamdscan --fdpass ' . $safe_path;
Seemed to successfully pass a good file and flag an EICAR file.
Related
I am trying to create a server within my Android phone. I am unable to execute any shell script from my PHP code.
Here's the code:
//index.php
<?php
$output=shell_exec("sdcard/htdocs/myscript.sh 2>&1");
if(!$output){
echo "Failed";
}else{
echo $output;
}
?>
//myscript.sh
cd sdcard/htdocs/images
ls -t1 | head -n 1
The script works fine within terminal emulator. I also tried changing permissions of the script file but that didn't work. I don't know if it requires superuser permissions to execute shell scripts within PHP code.
The whole code is used to return the filename of the last file created in the images directory.
Need suggestions to make this code work.Is there any other way to perform the required job?
Make sure what you have run
chmod a+x sdcard/htdocs/myscript.sh
on your file.
Also $output is not a boolean.
Your code looks fine. Superuser permission is not necessary for script execution. You should turn on PHP error output or check the PHP error log file. I bet you find the reason there. If not, recheck the directory, and file permissions:
./index.php
./sdcard/htdocs/myscript.sh
./sdcard/htdocs/images
sdcard and sdcard/htdocs require executable persmissions. sdcard/htdocs/images requires executable and read permission (ls in myscript.sh), and so does sdcard/htdocs/myscript.sh. But I guess it's something else because permission errors should be displayed (2>&1).
Edit
You can find the last modified file with PHP, no need to run another process. Take one of these two:
$images = glob('sdcard/htdocs/images/*');
$images = array_combine(array_map('filemtime', $images), $images);
asort($images);
echo $lastModifiedImage = end($images);
Or with some fewer array operations:
$images = glob('sdcard/htdocs/images/*');
array_reduce($images, function($previous, $element) use (&$found) {
$mtime = filemtime($element);
$found = $previous < $mtime ? $found : $element;
return $previous < $mtime ? $mtime : $previous;
}, 0);
echo $found;
sdcard and sdcard/htdocs require executable persmissions. sdcard/htdocs/images requires executable and read permission (ls in myscript.sh), and so does sdcard/htdocs/myscript.sh. But I guess it's something else because permission errors should be displayed (2>&1).
Probably FAT !
I'm trying to execute a separate PHP script from within a PHP page. After some research, I found that it is possible using the exec() function.
I also referenced this SO solution to find the path of the php binary. So my full command looks like this:
$file_path = '192.168.1.13:8080/doSomething.php';
$cmd = PHP_BINDIR.'/php '.$file_path; // PHP_BINDIR prints /usr/local/bin
exec($cmd, $op, $er);
echo $er; // prints 127 which turns out to be invalid path/typo
doSomething.php
echo "Hi there!";
I know $file_path is a correct path because if I open its value; i.e. 192.168.1.13:8080/doSomething.php, I do get "Hi there!" printed out. This makes me assume that PHP_BINDIR.'/php' is wrong.
Should I be trying to get the path of the php binary in some other way?
The file you are requesting is accessible via a web server, not as a local PHP script. Thus you can get the result of the script simply by
$output = file_get_contents($file_path);
If you however for some reason really have to exec the file, then you must provide a full path to that file in your server directory structure instead of server URL:
$file_path = '/full/path/to/doSomething.php';
$cmd = PHP_BINDIR.'/php '.$file_path;
exec($cmd, $op, $er);
I was wondering what's wrong with my code, if I use clamscan, it works fine both reading from /tmp, or manually specified the path. but if I use clamdscan, any path from /tmp will result in error (the int result is 2). This is the code.
$command = 'clamdscan ' . escapeshellarg($_FILES['file']['tmp_name']);
$out = '';
$int = -1;
exec($command, $out, $int);
echo "\n" . $command;
echo "\n" . $out;
echo "\n This is int = " . $int;
if ($int == 0) {
// all good, code goes here uploads file as normal IE move to
//echo "File path : ".$file."Return code : ".cl_pretcode($retcode);
//echo "\n";
move_uploaded_file($_FILES["file"]["tmp_name"], "filesave/" . $_FILES["file"]["name"]);
echo "Stored in: " . "filesave/" . $_FILES["file"]["name"];
} else {
echo "\n FAILED";
}
based on above code, it will failed because $int = 2. But, if I change the command to
//some file that is saved already in the directory
$command = 'clamdscan ' . '/abc/abc.txt';
It works perfectly fine.
It only failed if the command is clamdscan. if I use clamscan, temp directory is fine
any idea?
You should really just use one of the many clamd clients out there instead of relying on exec'ing a command and parsing its output, that's super fragile and will bring you nothing but headache in the future. For example:
http://torquecp.sourceforge.net/phpclamcli.html
If you are the do-it-yourself type, the clamd wire protocol is super simple (http://linux.die.net/man/8/clamd) and you could potentially write up a simple client in a couple of hours. Again, the benefit here is that it's a well defined protocol and has some nice features like a streaming call that allows you to operate the clamd service and your webapp with completely difference security credentials (heck they can even run on different boxes).
I hope this helps.
Just a quick remark on using http://torquecp.sourceforge.net/phpclamcli.html as a supposedly better alternative to a DIY cli exec. The aforementioned php script does entirely rely on the syntax of the clamav response text as well.
Old question but I've just had the same issue. clamdscan runs as user clamav which doesn't have permission to files in /tmp. There is an additional parameter --fdpass which runs the command as the user running the script.
Using $command = 'clamdscan --fdpass' . escapeshellarg($_FILES['file']['tmp_name']); should run the command as the www user which will have access to the temporary file.
In windows, I open a dir, read the files, and for each file, run stat to determine the size, etc.
The problem is that when I run stat on a folder SHORTCUT, it comes back as a FOLDER, and I can't see anywhere in the mode bitmask that might indicate this. This has been true for all of the folder shortcuts in c:\Documents and Settings\myUserName\.
For these shortcuts, is_file returns false, is_dir returns true and is_link isn't supported in XP.
Here's an excerpt from my code (it has been trimmed down, so there may be bugs) :
if(($h=#opendir($root))!==false){
while (false !== ($file = readdir($h))){
if(!($file=="." || $file=="..")){
if( $stat = #lstat($root . $file) ){
$ary[0] = $file;
$ary[1] = $root;
$ary[2] = Date("m/d/y H:i:s", $stat['mtime']);
if($stat['mode'] & 040000){
$ary[3]="dir";
$ary[4]=0;
}else{
$ary[3] ="file";
$ary[4] = $stat['size'];
}
echo(json_encode($ary));
}
}
}
}
A workaround for this will be appreciated...
EDIT: Winterblood's solution almost worked
First off - my bad - it's a win7 machine.
Thanks Winterblood for the quick turnaround - this worked for several of the shortcuts, and the PHP manual says just that... However,
c:\users\myUserName\AppData\Local\Application Data
(and others) are still coming back as directories, while winSCP correctly sees them as shortcuts. As a matter of fact, the 'mode' is 040777, which is exactly the same as many real folders.
Any other suggestions?
PHP's stat() function "follows" shortcuts/symlinks, reporting details on the linked file/folder, not the actual link itself.
For getting stat details on the link itself use lstat().
More information in the PHP documentation on lstat.
I have the following code
function generate_pdf() {
$fdf_data_strings = $this->get_hash_for_pdf();
#$fdf_data_names = array('49a' => "yes");
$fdf_data_names = array();
$fields_hidden = array();
$fields_readonly = array();
$hud_pdf = ABSPATH.'../pdf/HUD3.pdf';
$fdf= forge_fdf( '',
$fdf_data_strings,
$fdf_data_names,
$fields_hidden,
$fields_readonly );
/* echo "<pre>";
print_r($fdf);
echo "</pre>";
die('');
*/
$fdf_fn= tempnam( '.', 'fdf' );
$fp= fopen( $fdf_fn, 'w' );
if( $fp ) {
fwrite( $fp, $fdf );
//$data=fread( $fp, $fdf );
// echo $data;
fclose( $fp );
header( 'Content-type: application/pdf' );
header( 'Content-disposition: attachment; filename=settlement.pdf' ); // prompt to save to disk
passthru( 'pdftk HUD3.pdf fill_form '. $fdf_fn.' output - flatten');
unlink( $fdf_fn ); // delete temp file
}
else { // error
echo 'Error: unable to open temp file for writing fdf data: '. $fdf_fn;
}
}
}
is there anything wrong with it?
the problem is, I have installed pdftk
runing whereis pdftk gives me '/usr/local/bin/pdftk'
physically checked the location, pdftk is there at the said location..
using terminal, if i run pdftk --version or any other command, it runs
if I use php like passthru('/usr/local/bin/pdftk --version') nothing is displayed
if I used php like system("PATH=/usr/local/bin && pdftk --version"); it says '/usr/local/bin /pdftk :there is no directory of file '
when I run this function script , prompt for file download pops, but when i save it, nothng is saved,
i have checked permission for this folder and changed it 0755, 0766, 0777, 0666 i have tried all, nothng works
For 3 days, i am striving to get over it, and I have asked question regarding this too, but Can't figure out what the hell is going on with me.
Can somebody help me before i strike my head with wall?
The pasthru function does not execute the program through the shell.
Pass the exact path into the passthru command.
E.g.
passthru( '/usr/local/bin/pdftk HUD3.pdf fill_form '. $fdf_fn.' output - flatten');
or
passthru( '/usr/local/bin/pdftk' . $hud_pdf . 'fill_form '. $fdf_fn.' output - flatten');
If this still doesn't work test using
<?php passthru("/path/to/pdftk --help"); ?> where /path/to/pdftk is your path returned by which or where is, to ensure path is correct.
If path is correct then the issue may be related to permissions either on the temporary directory you tell pdftk to use or the permissions on the pdftk binary with regards to the apache user.
If these permissions are fine you can verify the pdftk starts up from php but hangs from running your command, then might be able to try the workaround listed here.
Further documentation on passthru is avaliable passthru PHP Manual.
As a side note, the putenv php function is used to set environment variables.
E.g. putenv('PATH='.getenv('PATH').':.');
All 3 PHP functions: exec(), system() and passthru() executes an external command, but the differences are:
exec(): returns the last line of output from the command and flushes nothing.
shell_exec(): returns the entire output from the command and flushes nothing.
system(): returns the last line of output from the command and tries to flush the output buffer after each line of the output as it goes.
passthru(): returns nothing and passes the resulting output without interference to the browser, especially useful when the output is in binary format.
Also see PHP exec vs-system vs passthru SO Question.
The implementation of these functions is located at exec.c and uses popen.
I had the same issue and this is working after lots of experiments :
function InvokePDFtk($pdf_tpl, $xfdf,$output){
$params=" $pdf_tpl fill_form $xfdf output $output flatten 2>&1";
$pdftk_path=exec('/usr/bin/which /usr/local/bin/pdftk');
$have_pdftk= $pdftk_path=='/usr/local/bin/pdftk' ;
$pdftk_path=$have_pdftk ? $pdftk_path : 'pdftk ';
exec($pdftk_path.$params,$return_var);
return array('status'=> $have_pdftk,
'command' =>$pdftk_path.$params, 'output'=>$return_var);
}
hope this might give you some insight . (change according to your needs)
Completing Appleman answer, those 3 functions can be considered as dangerous, because they allow you execute program using php, thus an attacker that exploited one of your script if you are not careful enougth. So in many php configuration that want to be safe they are disabled.
So you should check for the disable_functions directive in you php.ini(and any php configuration file) and see if the function you use is disabled.
Perhaps you should keep fclose out of the if statement, make sure you have it directed to the right file! :)
Is your web server chrooted? Try putting the executable into a directory that is viewable by the server.
Play around around with safe mode and definitely check your web server log file, normally in:
/var/log/apache2/error.log