Everyone who plans to use WMI on any project, not just projects dealing with PHP, needs to be aware of the security risk that WMI can present. WMI is a very powerful tool. You can change critical system information with WMI. If someone has access to your WMI scripts, you should make sure that they are someone you trust with not only your source code but your entire system, because with WMI that’s basically what they have, your entire system.
I’d suggest only using WMI if it’s a must. If you use WMI in an open environment that can receive outside connections, make absolutely sure that it can’t be accessed by the public. If you're making a script that can be accessed by the public, make sure that there’s no possible way for them to edit or change the WQL in anyway. I cannot stress this enough. WMI can be used to do as much as changing your desktop wallpaper, all the way to editing hardware information, and in some rare cases the BIOS can even be controlled, and the system can be shutdown.
Before you begin a project with WMI, take note of any security risks that may be involved and deal with them in the proper ways.
| DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware. |
