screwy/incorrect behavior in PHP script


Results 1 to 3 of 3

Thread: screwy/incorrect behavior in PHP script

  1. #1
    Join Date
    Jan 2003
    Location
    Austin, Texas
    Posts
    684

    screwy/incorrect behavior in PHP script

    I have some PHP code that is supposed to invoke a bash script and it doesn't seem to be working. The basic idea is that it is pulling down an HTML file, scanning it with clamscan, and then reporting whether or not an infection is found in the source code. Not perfect but it doesn't have to be. The shell script is as follows:

    Code:
    #!/bin/bash
    
    in=/tmp/foo.html
    outfile=/tmp/clamscan.txt
    cd ~/bin
    addr=$(java ParseURL "$*")
    
    w3m -dump_source ${addr} | clamscan - > ${outfile} 2>&1
    infected=$(grep "Infected files" ${outfile} | tr -s ' ' | cut -d ' ' -f 3)
    exploit=$(grep "FOUND" ${outfile})
    
    if [ -n "$exploit" ]; then
      echo "infected"
    elif [ -n "$infected" ]; then
      if [ $infected -gt 1 ]; then
        echo "infected"
      else
        echo "clean"
      fi
    else
      echo "clean"
    fi
    
    rm -rf $in
    rm -rf $outfile
    Just FYI, the Java class will parse a string and pull out only the URL from it based on some regular expressions. So if I pass in the string "hello my name is www.ebay.com and I like to sell stuff" the Java program would return only the string "www.ebay.com".

    What is silly is that I can run the above shell script manually and it will output the correct answer:

    Code:
    $ ./friend-scan is testing http://www.xxx.xxx/exp2.html
    infected

    However, if I call the exact same command from my PHP code it prints "clean". Here is the PHP code (and at this particular point, the variable $msg is the string "is testing http://www.xxx.xxx/exp2.html"):

    Code:
          // run clam-scan on the target HTML file
          $command = "/home/bdmayes/bin/friend-scan $msg";
          echo "Calling $command <br>";
          $myOutput=shell_exec($command);
          echo "<pre>$myOutput</pre>";
    and here is the output from the resulting HTML page:

    Code:
    Calling /home/bdmayes/bin/friend-scan is testing http://www.xxx.xxx/exp2.html
    
    clean

    I have done some testing by adding the following code to my shell script:

    Code:
    testFile=/tmp/addr.txt
    echo "$*" >> $testFile
    echo "$infected" >> $testFile
    echo "$exploit" >> $testFile
    echo "" >> $testFile
    and what I found is that when my PHP code calls the friend-scan script, the variable $exploit seems to be null. Also, it finds zero infections:

    Code:
    $ cat /tmp/addr.txt 
    is testing http://www.xxx.xxx/exp2.html
    0
    If I run this exact same script manually it finds an infection!

    Code:
    $ cat /tmp/addr2.txt 
    is testing http://www.xxx.xxx/exp2.html
    1
    stdin: Exploit.CVE-2006-3730 FOUND

    How is this possible? Anybody have an idea what is going on here? (bwkaz -- I'm looking in your direction )
    "The author of that poem is either Homer or, if not Homer, somebody else of the same name."

  2. #2
    Join Date
    Jan 2003
    Location
    Austin, Texas
    Posts
    684
    Nevermind...I am a total idiot. The problem was the third line in the above shell script which says:

    Code:
    cd ~/bin
    This works for my user, but the apache user isn't the same as my default login...so yeah... ~ points to a different directory which doesn't even exist on the system. Hence the script fails to generate the correct output because the java program isn't being run correctly. I'm an idiot.
    "The author of that poem is either Homer or, if not Homer, somebody else of the same name."

  3. #3
    Join Date
    Apr 2001
    Location
    SF Bay Area, CA
    Posts
    14,947
    AH! Duh.

    Yep.



    (No, I wouldn't have caught that... )

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •