How to Disable Dangerous PHP Functions (Solution)

How to Disable Dangerous PHP Functions (Solution)

PHP stands for Hypertext Preprocessor is a powerful and popular server-side scripting language which is used for serving dynamic web pages. It is very simple to code and debug and supports several databases like MySQL, MS SQL and Oracle.

But, have you ever pondered that some of the PHP functions can be very dangerous for your server and data stored on it ?

When the PHP code is used in an improper way or any insecure php code, potentially it can messed up with a web hosting server and can simply be hacked by hackers. Insecure PHP code can literally harm your server data at the level you cannot even imagine it.

Using the insecure PHP code, as a security hole hackers could enable some very dangerous and powerful PHP functions and can take control over your web hosting server. There are many such php function which should be disabled in the PHP configuration file. Let’s check out the functions that should be disabled in the php configuration file right away on your web server.

Following is a list of dangerous php functions:

apache_child_terminate

apache_setenv

define_syslog_variables

escapeshellarg

escapeshellcmd

eval

exec

fp

fput

ftp_connect

ftp_exec

ftp_get

ftp_login

ftp_nb_fput

ftp_put

ftp_raw

ftp_rawlist

highlight_file

ini_alter

ini_get_all

ini_restore

inject_code

mysql_pconnect

openlog

passthru

php_uname

phpAds_remoteInfo

phpAds_XmlRpc

phpAds_xmlrpcDecode

phpAds_xmlrpcEncode

popen

posix_getpwuid

posix_kill

posix_mkfifo

posix_setpgid

posix_setsid

posix_setuid

posix_setuid

posix_uname

proc_close

proc_get_status

proc_nice

proc_open

proc_terminate

shell_exec

syslog

system

xmlrpc_entity_decode

On the cPanel servers where PHP handler is configured to use DSO, PHP runs under nobody ownership. This may become a security hole and create major issue if you have given 777 permission. The 777 permission enables the nobody user to read, write and execute the file. So, its better to be careful with the permissions.

It is always recommended to set the permission to 755, so that no one can edit or change the files. The PHPsuexec function disallows the php scripts to run as 777 permissions and the files cannot be read as well. This function should always be enable for ensuring the maximum security.

PHP functions such as exec and system are always used to execute the external programs. Even a shell command can also be executed. If these two functions are enabled then a user can enter any command as input and execute into your server. The user can also delete all of your data simply by giving rm -rf * command. Even the user can enter any command simply by using (;) in the argument area. Thus, it is better to disable the exec and system functions in your php.ini configuration file.

Enter the following command in ssh to find your php.ini file:

[email protected] [~]# php -i | grep php.ini

Mostly, you will get it in the /etc/php.ini directory or you may also get in /usr/local/lib/php.ini

Enter the following command to edit the file using your favorite editor. I have used VI editor here:

[email protected] [~]# vi /etc/php.ini

Search for the following text disable_functions in the php.ini file.

disable_functions: is a directive used to disable the insecure php functions.

Once you find the disable_functions directive in the configuration file, modify the disable_functions=as shown below:

disable_functions = “apache_child_terminate, apache_setenv, define_syslog_variables, escapeshellarg, escapeshellcmd, eval, exec, fp, fput, ftp_connect, ftp_exec, ftp_get, ftp_login, ftp_nb_fput, ftp_put, ftp_raw, ftp_rawlist, highlight_file, ini_alter, ini_get_all, ini_restore, inject_code, mysql_pconnect, openlog, passthru, php_uname, phpAds_remoteInfo, phpAds_XmlRpc, phpAds_xmlrpcDecode, phpAds_xmlrpcEncode, popen, posix_getpwuid, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, posix_setuid, posix_uname, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, syslog, system, xmlrpc_entity_decode

The above mentioned changes can be applied on both Linux as well as Windows servers.

Once you modify the php.ini configuration file, you will need to restart the Apache web server on Linux server and IIS web server on Windows server for changes to take effect.

After disabling the above dangerous php functions, you may encounter a problem with your web applications. For example: when you disable the shell_exec and visit Fantastico in the cPanel, you may see the below error:

Warning: shell_exec() has been disabled for security reasons in /tmp/cpanel_phpengine.*.* on line *

In this case, you should run the following from SSH:

/scripts/makecpphp

The above command will install a copy of PHP to use with the cPanel/WHM backend and its addons like Fantastico.

If you are considering starting a website and are looking for affordable hosting, visit our cPanel Hosting page.

Sharing