Announcement

Collapse
No announcement yet.

Disabling Dangerous PHP Functions..

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • WelshTom
    replied
    Originally posted by Dennis View Post
    Thank you but when I disallow shell_exec and the user visits fantastico in his cPanel, he will see the following error:

    Have I forgotten any additional settings if I disable shell_exec ?
    Run this from SSH: /scripts/makecpphp

    This script will install another copy of PHP for use with the cPanel/WHM backend (and its addons such as Fantastico).

    Leave a comment:


  • Dennis
    replied
    Thank you but when I disallow shell_exec and the user visits fantastico in his cPanel, he will see the following error:
    Warning: shell_exec() has been disabled for security reasons in /tmp/cpanel_phpengine.*.* on line *
    Have I forgotten any additional settings if I disable shell_exec ?

    Leave a comment:


  • Rock
    replied
    Hey Dennis !



    On behalf of Eukhost and its members, it's our pleasure to welcome you as a new member of the community and to offer thanks for your enthusiasm and interest in the group. We are glad you have decided to join us as we continue to do our part to enrich the community..

    shell_exec is required for uninstalling/removing the applications from Fantastico, hence you'd face absolutely no problems while installing any of them if the function is disabled.. If you want to remove a particular application & you proceed towards the Fantastico for it's removal, it'd error out saying some files aren't removed, to which you need to remove them manually, as the steps are provided there itself in the error. That's all..

    Leave a comment:


  • Dennis
    replied
    Hello People!
    And I hope everyone gets safe into Jan. the 1st to enjoy 2009 fully.


    I notice that you have shell_exec mentioned which I also want to disable on my VPS account. However, it looks like Fantastico won't work proper after that is done. How did you solve that on your servers?

    Regards,

    Me

    Leave a comment:


  • Rock
    started a topic Disabling Dangerous PHP Functions..

    Disabling Dangerous PHP Functions..

    Have you ever wondered which PHP functions are termed to be highly dangerous in web hosting & should promptly be left disabled in the configuration ?

    PHP is a powerful language which; when used in an improper way, either unknowingly; carries the potential to mess up with a web hosting server & hack/exploit user accounts further upto root level. Hackers using an insecure PHP script as an entry point to a web hosting server can start unleashing dangerous commands and take control over the complete server quickly.. Certain functions which are used in such scripts are termed to be dangerous & are turned off in the PHP configuration. Let's find out which functions are dangerous & how they are turned off..

    Here's a complete list of such functions which are needed to be stopped from being executed within any website on your web hosting server:
    "apache_child_terminate, apache_setenv, define_syslog_variables, escapeshellarg, escapeshellcmd, eval, exec, fp, fput, ftp_connect, ftp_exec, ftp_get, ftp_login, ftp_nb_fput, ftp_put, ftp_raw, ftp_rawlist, highlight_file, ini_alter, ini_get_all, ini_restore, inject_code, mysql_pconnect, openlog, passthru, php_uname, phpAds_remoteInfo, phpAds_XmlRpc, phpAds_xmlrpcDecode, phpAds_xmlrpcEncode, popen, posix_getpwuid, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, posix_setuid, posix_uname, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, syslog, system, xmlrpc_entity_decode"
    Locate your php.ini and then edit:
    [email protected] [~]# php -i | grep php.ini
    You'd get "Configuration File (php.ini) Path => /etc/php.ini" or any other different location, such as /usr/local/lib/php.ini

    Now edit the file using your favourite editor :
    [email protected] [~]# vi /etc/php.ini
    Search for the following text within that configuration file & modify disable_functions = "" to
    disable_functions = "apache_child_terminate, apache_setenv, define_syslog_variables, escapeshellarg, escapeshellcmd, eval, exec, fp, fput, ftp_connect, ftp_exec, ftp_get, ftp_login, ftp_nb_fput, ftp_put, ftp_raw, ftp_rawlist, highlight_file, ini_alter, ini_get_all, ini_restore, inject_code, mysql_pconnect, openlog, passthru, php_uname, phpAds_remoteInfo, phpAds_XmlRpc, phpAds_xmlrpcDecode, phpAds_xmlrpcEncode, popen, posix_getpwuid, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, posix_setuid, posix_uname, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, syslog, system, xmlrpc_entity_decode"
    After modifying the PHP configuration, the Apache web server needs to be restarted.. for the above done changes to take effect.

    If you find any problems with your web-applications after disabling these above mentioned functions, it's recommended to recheck your code & find an alternative solution, rather than risking the complete server for a mere application..

    Note that the above mentioned solution is applicable for both type of servers, Linux web hosting server & for Windows web hosting servers as well.. The PHP configuration on Windows is generally found in the C:\Windows folder.. Make sure you restart IIS web server PHP config modifications on windows servers too..
Working...
X