Tuesday, June 1, 2010

Disabling Dangerous PHP Functions cPanel

SkyHi @ Tuesday, June 01, 2010

Have you ever wondered which PHP functions are termed to be highly dangerous in web hosting & should promptly be left disabled in the configuration ?



PHP is a powerful language which; when used in an improper way, either unknowingly; carries the potential to mess up with a web hosting server & hack/exploit user accounts further upto root level. Hackers using an insecure PHP script as an entry point to a web hosting server can start unleashing dangerous commands and take control over the complete server quickly.. Certain functions which are used in such scripts are termed to be dangerous & are turned off in the PHP configuration. Let's find out which functions are dangerous & how they are turned off..



Here's a complete list of such functions which are needed to be stopped from being executed within any website on your web hosting server:


Quote:







"apache_child_terminate, apache_setenv, define_syslog_variables, escapeshellarg, escapeshellcmd, eval, exec, fp, fput, ftp_connect, ftp_exec, ftp_get, ftp_login, ftp_nb_fput, ftp_put, ftp_raw, ftp_rawlist, highlight_file, ini_alter, ini_get_all, ini_restore, inject_code, mysql_pconnect, openlog, passthru, php_uname, phpAds_remoteInfo, phpAds_XmlRpc, phpAds_xmlrpcDecode, phpAds_xmlrpcEncode, popen, posix_getpwuid, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, posix_setuid, posix_uname, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, syslog, system, xmlrpc_entity_decode"


Locate your php.ini and then edit:


Quote:







root@server [~]# php -i | grep php.ini


You'd get "Configuration File (php.ini) Path => /etc/php.ini" or any other different location, such as /usr/local/lib/php.ini



Now edit the file using your favourite editor :

Quote:







root@server [~]# vi /etc/php.ini


Search for the following text within that configuration file & modify disable_functions = "" to

Quote:







disable_functions = "apache_child_terminate, apache_setenv, define_syslog_variables, escapeshellarg, escapeshellcmd, eval, exec, fp, fput, ftp_connect, ftp_exec, ftp_get, ftp_login, ftp_nb_fput, ftp_put, ftp_raw, ftp_rawlist, highlight_file, ini_alter, ini_get_all, ini_restore, inject_code, mysql_pconnect, openlog, passthru, php_uname, phpAds_remoteInfo, phpAds_XmlRpc, phpAds_xmlrpcDecode, phpAds_xmlrpcEncode, popen, posix_getpwuid, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, posix_setuid, posix_uname, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, syslog, system, xmlrpc_entity_decode"


After modifying the PHP configuration, the Apache web server needs to be restarted.. for the above done changes to take effect.



If you find any problems with your web-applications after disabling these above mentioned functions, it's recommended to recheck your code & find an alternative solution, rather than risking the complete server for a mere application..



Note that the above mentioned solution is applicable for both type of servers, Linux web hosting server & for Windows web hosting servers as well.. The PHP configuration on Windows is generally found in the C:\Windows folder.. Make sure you restart IIS web server PHP config modifications on windows servers too..


========================================================================
On behalf of Eukhost and its members, it's our pleasure to welcome you as a new member of the community and to offer thanks for your enthusiasm and interest in the group. We are glad you have decided to join us as we continue to do our part to enrich the community..



shell_exec is required for uninstalling/removing the applications from Fantastico, hence you'd face absolutely no problems while installing any of them if the function is disabled.. If you want to remove a particular application & you proceed towards the Fantastico for it's removal, it'd error out saying some files aren't removed, to which you need to remove them manually, as the steps are provided there itself in the error. That's all..

REFERENCES
http://www.eukhost.com/forums/f42/disabling-dangerous-php-functions-6020/