I downloaded the plugin and seen that you just need to enumerate the installed packages and retrieve their info data.
Exactly as this program does (together with many other things):
http://pear.php.net/package/PEAR_Frontend_Web/download
I've searched for any occurrence of "exec", "shell", "system" or "popen" in that code:
Code:
tillo@pctillo ~/PROGRAMMI/PEAR_Frontend_Web-0.7.3 $ grep -R -e popen -e exec -e shell -e system .
./pearfrontendweb.php: // TODO: doesn't work yet ! There is no way to find the system config
tillo@pctillo ~/PROGRAMMI/PEAR_Frontend_Web-0.7.3 $
As you can see, they have been concerned about security.
The bottom line is that it is perfectly possible to retrieve any information (AND execute any command, like build/install/remove) about PEAR packages through their exporting library: see this in the main php file:
Code:
require_once 'PEAR/Frontend.php';
require_once 'PEAR/Command.php';
Unfortunately I've no time to help you more then that
sorry.
I hope (for
nemafire) that you will take a moment to make the script non-dependent on exec().
Oh, and another interesting thing:
Code:
tillo@less:~$ file /usr/local/php5/bin/pear
/usr/local/php5/bin/pear: Bourne shell script text executable
tillo@less:~$ tail -n 1 /usr/local/php5/bin/pear
exec $PHP -C -q $INCARG -d output_buffering=1 -d variables_order=EGPCS -d open_basedir="" -d safe_mode=0 -d register_argc_argv="On" -d auto_prepend_file="" -d auto_append_file="" $INCDIR/pearcmd.php "$@"
tillo@less:~$ locate pearcmd.php
/usr/local/lib/php/pearcmd.php
The pear binary you are executing... it's just a script launching another PHP script
maybe you can include that, don't know.