—

Why it Matters

PHP functions like exec(), shell_exec(), system(), or backticks run commands directly on the server’s operating system. If any part of the command includes user input, attackers can inject malicious commands. This can lead to full server compromise, stolen data, or ransomware.

Command injection is one of the most dangerous vulnerabilities. Avoiding unsafe functions and sanitizing inputs with strict allow-lists are the only safe ways to handle system commands. In most cases, safer PHP functions or Magento APIs exist and should be used instead.

Verification Steps

# Search for dangerous PHP functions in custom code
grep -R "exec(" app/code
grep -R "shell_exec(" app/code
grep -R "system(" app/code
grep -R "`" app/code

Remediation / Fix Guidance

1. Avoid using dangerous functions unless absolutely necessary.
2. If commands are required, build them with fixed values and not user input.
3. Use strict allow-lists for arguments (for example, only allow certain fixed options).
4. Look for safer alternatives like Magento APIs, PHP built-in functions, or libraries.

Examples

// Unsafe, user input goes into command
$filename = $_GET['file'];
system("cat " . $filename);

// Safer, avoid system commands
$filename = basename($_GET['file']);
echo file_get_contents('/var/data/' . $filename);

References

• OWASP Top 10 — A03: Injection
• OWASP — Command Injection