Get the latest Laravel/PHP jobs, events and curated articles straight to your inbox, once a week
![[Part 4/100] Security? Who is she](https://codelabs.nyc3.digitaloceanspaces.com/contents/August2022/bE9aGMh4VXl7KCFOkjqmYAHXEu4Amk7A.png)
Source: dev.to
[Part 4/100] Security? Who is she
Ignoring the 11 months since Part 3 was posted, it would be nice to share a tale between yours truly & Laravel, whomst've have tried their best avoiding a line of code that I believe is exploitable, present for over 6 years. The year was 2021; upon discovering what I perceived to be an exploitable piece of code that existed within Laravel since at least 2016, I did what any good Samaritan would do.
With assistance of this line of code, using the Laravel Framework we're able to schedule the execution of any arbitrary shell command (Outside of Laravel).
Proof of Concept to prove Laravel package vendors can exploit the command scheduler to run self-scheduled arbitrary shell commands.
The guys at Laravel responded as follows: But, isn't users installing a malicious internal package always a security vulnerability.
With assistance of this line of code, using the Laravel Framework we're able to schedule the execution of any arbitrary shell command (Outside of Laravel).
Proof of Concept to prove Laravel package vendors can exploit the command scheduler to run self-scheduled arbitrary shell commands.
The guys at Laravel responded as follows: But, isn't users installing a malicious internal package always a security vulnerability.
Newsletter
Glimpse
Glimpse streamlines Laravel development by seamlessly deploying GitHub pull requests to preview environments with the help of Laravel Forge.
Community Partners
Laravel/PHP Careers