REX: Remote Execution Framework for PHP
<< A First Example Back to Contents Example Uses of REX >>

Security and REX

The REX framework offers no built-in security.

Given the whole point of the system is to allow execution of arbitrary code it is potentially a serious security risk unless measures are taken to secure your implementation.

There are two primary risk factors when using REX:

Poisoning of Code Store

As REX downloads code from a store and executes it any unauthorised access to or modification of the code store could lead to malicious adulterated code being run on the client systems.

Of course this is a risk whenever code (or binaries) are downloaded from a remote site but with a traditional method (installing the program on the client) any poisoned code must be present at the point of download.

With REX as the code is loaded "fresh" on each execution the theoretical risks of compromise are higher.

So it is important to keep your code server secure and be careful where you are executing REX code from.

Execution of Arbitrary Code

If the REX executor (or your own implementation using the API) is exposed in a manner allowing filenames for execution to be passed then a malicious agent could simply setup their own "bad" code store and get your clients to download and execute it.

Always ensure your REX executor is secure, at the very least by limiting access to the web interface through HTTP-AUTH or specific HTTP access rules.

<< A First Example Back to Contents Example Uses of REX >>