Thursday, July 28, 2011

Disabling Dangerous PHP Functions

Category: SkyHi @ Thursday, July 28, 2011
Have you ever wondered which PHP functions are termed to be highly dangerous in web hosting & should promptly be left disabled in the configuration ?

PHP is a powerful language which; when used in an improper way, either unknowingly; carries the potential to mess up with a web hosting server & hack/exploit user accounts further upto root level. Hackers using an insecure PHP script as an entry point to a web hosting server can start unleashing dangerous commands and take control over the complete server quickly.. Certain functions which are used in such scripts are termed to be dangerous & are turned off in the PHP configuration. Let's find out which functions are dangerous & how they are turned off..

Here's a complete list of such functions which are needed to be stopped from being executed within any website on your web hosting server:

Quote:
"apache_child_terminate, apache_setenv, define_syslog_variables, escapeshellarg, escapeshellcmd, eval, exec, fp, fput, ftp_connect, ftp_exec, ftp_get, ftp_login, ftp_nb_fput, ftp_put, ftp_raw, ftp_rawlist, highlight_file, ini_alter, ini_get_all, ini_restore, inject_code, mysql_pconnect, openlog, passthru, php_uname, phpAds_remoteInfo, phpAds_XmlRpc, phpAds_xmlrpcDecode, phpAds_xmlrpcEncode, popen, posix_getpwuid, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, posix_setuid, posix_uname, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, syslog, system, xmlrpc_entity_decode"
Locate your php.ini and then edit:
Quote:
root@server [~]# php -i | grep php.ini
You'd get "Configuration File (php.ini) Path => /etc/php.ini" or any other different location, such as /usr/local/lib/php.ini

Now edit the file using your favourite editor :
Quote:
root@server [~]# vi /etc/php.ini
Search for the following text within that configuration file & modify disable_functions = "" to
Quote:
disable_functions = "apache_child_terminate, apache_setenv, define_syslog_variables, escapeshellarg, escapeshellcmd, eval, exec, fp, fput, ftp_connect, ftp_exec, ftp_get, ftp_login, ftp_nb_fput, ftp_put, ftp_raw, ftp_rawlist, highlight_file, ini_alter, ini_get_all, ini_restore, inject_code, mysql_pconnect, openlog, passthru, php_uname, phpAds_remoteInfo, phpAds_XmlRpc, phpAds_xmlrpcDecode, phpAds_xmlrpcEncode, popen, posix_getpwuid, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, posix_setuid, posix_uname, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, syslog, system, xmlrpc_entity_decode"
After modifying the PHP configuration, the Apache web server needs to be restarted.. for the above done changes to take effect.

If you find any problems with your web-applications after disabling these above mentioned functions, it's recommended to recheck your code & find an alternative solution, rather than risking the complete server for a mere application..

Note that the above mentioned solution is applicable for both type of servers, Linux web hosting server & for Windows web hosting servers as well.. The PHP configuration on Windows is generally found in the C:\Windows folder.. Make sure you restart IIS web server PHP config modifications on windows servers too..

REFERENCES
http://www.eukhost.com/forums/f42/disabling-dangerous-php-functions-6020/