Disabling Dangerous PHP Functions..

Rock · #1 (**permalink**) 30-09-2008, 01:02

Have you ever wondered which PHP functions are termed to be highly dangerous in web hosting & should promptly be left disabled in the configuration ?

PHP is a powerful language which; when used in an improper way, either unknowingly; carries the potential to mess up with a web hosting server & hack/exploit user accounts further upto root level. Hackers using an insecure PHP script as an entry point to a web hosting server can start unleashing dangerous commands and take control over the complete server quickly.. Certain functions which are used in such scripts are termed to be dangerous & are turned off in the PHP configuration. Let's find out which functions are dangerous & how they are turned off..

Here's a complete list of such functions which are needed to be stopped from being executed within any website on your web hosting server:

Quote:

"apache_child_terminate, apache_setenv, define_syslog_variables, escapeshellarg, escapeshellcmd, eval, exec, fp, fput, ftp_connect, ftp_exec, ftp_get, ftp_login, ftp_nb_fput, ftp_put, ftp_raw, ftp_rawlist, highlight_file, ini_alter, ini_get_all, ini_restore, inject_code, mysql_pconnect, openlog, passthru, php_uname, phpAds_remoteInfo, phpAds_XmlRpc, phpAds_xmlrpcDecode, phpAds_xmlrpcEncode, popen, posix_getpwuid, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, posix_setuid, posix_uname, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, syslog, system, xmlrpc_entity_decode"

Locate your php.ini and then edit:

Quote:

root@server [~]# php -i | grep php.ini

You'd get "Configuration File (php.ini) Path => /etc/php.ini" or any other different location, such as /usr/local/lib/php.ini

Now edit the file using your favourite editor :

Quote:

root@server [~]# vi /etc/php.ini

Search for the following text within that configuration file & modify disable_functions = "" to

Quote:

disable_functions = "apache_child_terminate, apache_setenv, define_syslog_variables, escapeshellarg, escapeshellcmd, eval, exec, fp, fput, ftp_connect, ftp_exec, ftp_get, ftp_login, ftp_nb_fput, ftp_put, ftp_raw, ftp_rawlist, highlight_file, ini_alter, ini_get_all, ini_restore, inject_code, mysql_pconnect, openlog, passthru, php_uname, phpAds_remoteInfo, phpAds_XmlRpc, phpAds_xmlrpcDecode, phpAds_xmlrpcEncode, popen, posix_getpwuid, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, posix_setuid, posix_uname, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, syslog, system, xmlrpc_entity_decode"

After modifying the PHP configuration, the Apache web server needs to be restarted.. for the above done changes to take effect.

If you find any problems with your web-applications after disabling these above mentioned functions, it's recommended to recheck your code & find an alternative solution, rather than risking the complete server for a mere application..

Note that the above mentioned solution is applicable for both type of servers, Linux web hosting server & for Windows web hosting servers as well.. The PHP configuration on Windows is generally found in the C:\Windows folder.. Make sure you restart IIS web server PHP config modifications on windows servers too..

**Dennis** · #2 (**permalink**) 30-12-2008, 18:24

Hello People!
And I hope everyone gets safe into Jan. the 1st to enjoy 2009 fully.

I notice that you have shell_exec mentioned which I also want to disable on my VPS account. However, it looks like Fantastico won't work proper after that is done. How did you solve that on your servers?

Regards,

Me

Rock · #3 (**permalink**) 31-12-2008, 02:12

Hey Dennis !

On behalf of Eukhost and its members, it's our pleasure to welcome you as a new member of the community and to offer thanks for your enthusiasm and interest in the group. We are glad you have decided to join us as we continue to do our part to enrich the community..

shell_exec is required for uninstalling/removing the applications from Fantastico, hence you'd face absolutely no problems while installing any of them if the function is disabled.. If you want to remove a particular application & you proceed towards the Fantastico for it's removal, it'd error out saying some files aren't removed, to which you need to remove them manually, as the steps are provided there itself in the error. That's all..

**Dennis** · #4 (**permalink**) 31-12-2008, 02:40

Thank you but when I disallow shell_exec and the user visits fantastico in his cPanel, he will see the following error:

Quote:

Warning: shell_exec() has been disabled for security reasons in /tmp/cpanel_phpengine.*.* on line *

Have I forgotten any additional settings if I disable shell_exec ?

**WelshTom** · #5 (**permalink**) 10-01-2009, 21:35

Quote:

Originally Posted by Dennis

Thank you but when I disallow shell_exec and the user visits fantastico in his cPanel, he will see the following error:

Have I forgotten any additional settings if I disable shell_exec ?

Run this from SSH: /scripts/makecpphp

This script will install another copy of PHP for use with the cPanel/WHM backend (and its addons such as Fantastico).