Fix Command Injection in FuelPHP

Command injection in FuelPHP is a high-impact RCE vector where unvalidated user input reaches system execution functions. If your controller pipes Input::post() or params directly into shell_exec, system, or passthru, an attacker can chain commands using shell metacharacters like semicolon, ampersand, or pipe to seize control of the underlying OS.

The Vulnerable Pattern

public function action_check_host() {
    $target = Input::param('host');
    // CRITICAL VULNERABILITY: Direct concatenation allows command chaining
    $result = shell_exec("nslookup " . $target);
    return Response::forge("
$result
");
}

The Secure Implementation

The exploit works because the shell interprets characters like ';' or '|' as command separators. The fix involves two layers: First, use FuelPHP's Input class combined with PHP's filter_var to ensure the data is syntactically valid (e.g., a real IP or domain). Second, use escapeshellarg() to wrap the input in single quotes and escape any internal quotes. This forces the shell to treat the entire input as a single literal argument rather than executable code. Always use Security::htmlentities() when reflecting output to prevent secondary XSS.

public function action_check_host() {
    $target = Input::param('host');
// 1. Strict Validation: Ensure input matches expected format (e.g., hostname/IP)
if (!filter_var($target, FILTER_VALIDATE_DOMAIN, FILTER_FLAG_HOSTNAME)) {
    return Response::forge("Invalid input", 400);
}

// 2. Shell Escaping: Neutralize shell metacharacters
$safe_target = escapeshellarg($target);

$result = shell_exec("nslookup " . $safe_target);
return Response::forge("<pre>" . Security::htmlentities($result) . "</pre>");
}