This document outlines how to detect, mitigate, and harden against Remote Command Execution (RCE) vulnerabilities introduced by insecure handling of HTTP headers, specifically the User-Agent.
GitHub: BackdoorAli
Unsanitised use of the User-Agent header in system commands allows attackers to inject payloads, such as, for example:
User-Agent: zerodium; id
This can lead to:
- Unauthorised command execution
- Data exfiltration
- Server compromise
- Do not use
system()or similar shell functions (exec,passthru,popen) with unsanitised input. - If shell execution is necessary, strictly control all input.
If system calls are unavoidable:
$ua = escapeshellarg($_SERVER['HTTP_USER_AGENT']);
system("echo $ua >> /tmp/ua_log.txt");Use escapeshellarg() or escapeshellcmd() in PHP to neutralize dangerous characters.
Avoid manual shell commands for logging. Use PHP-native logging methods instead:
error_log($_SERVER['HTTP_USER_AGENT']);Deploy a WAF to detect and block:
- Shell metacharacters (
;,&&,|,`) - Unexpected command syntax in headers
Watch /tmp, /var/log, and custom directories for unauthorised file changes.
- Disable unnecessary PHP functions (
system,exec,shell_exec) inphp.ini - Use non-root users for web services
- Implement mandatory access controls (e.g., AppArmor, SELinux)
Monitor logs for suspicious User-Agent strings:
- Use regex patterns to flag dangerous headers
- Correlate with outbound traffic or file changes
- Treat all HTTP headers as untrusted
- Never interpolate untrusted input directly into system commands
- Validate and encode inputs even if they appear “safe”
This guide is intended to help developers and defenders harden applications against this class of attack.