The main problem with launching shells is that attackers might execute shell commands riding on the system() or popen() function calls. An attacker could include special metacharacters and flags in the command string being passed to the shell for execution. (A metacharacter is a sequence of one or more characters that the shell interprets as a directive with a special meaning.)For example, the bash, csh, and ksh shells treat the symbol >> as an instruction to append output to a file; or the symbol ; is construed as a command separator, which allows grouping of several commands in one line. Allowing users to compose a command string that may contain metacharacters is highly dangerous. Even running the shell under an account with limited privileges, users can still collect sensitive information by listing files in the current directory or exploring network configuration as they pass the following string to a shell. For example:
Another issue of concern is the ability to manipulate the Input Field Separator (IFS) and environment variables such as $HOME and $PATH to launch malicious programs. Finally, attackers can exploit the infamous buffer overflow bug, which we discussed several weeks ago, by typing a very long string.
How can you minimize the risks involved in launching shells from a program?
Don't use system() and popen() in any program or script publicly accessible on your Web host; It's strongly advised that you don't use these functions in SGID and SUID programs and scripts; Limit the length of an input string so that it doesn't cause a buffer overflow; Screen the input string and remove any metacharacters from it before you pass it to system() or popen().
Remember, in most cases you can give users the ability to make their selection from menus, check boxes, radio lists, etc..., and let your program compose a safe command string instead accepting an input string directly from a user.