Dangerous PHP Functions Must be Disabled

Posted by at 7 April, at 11 : 46 AM Print

PHP Hosting

PHP stands for Hypertext Preprocessor is a powerful and popular server-side scripting language which is used for serving dynamic web pages. It is very simple to code and debug and supports several databases like MySQL, MS SQL and Oracle.

But, have you ever pondered that some of the PHP functions can be very dangerous for your server and data stored on it ?

When the PHP code is used in an improper way or any insecure php code, potentially it can messed up with a web hosting server and can simply be hacked by hackers. Insecure PHP code can literally harm your server data at the level you cannot even imagine it.

Using the insecure PHP code, as a security hole hackers could enable some very dangerous and powerful PHP functions and can take control over your web hosting server. There are many such php function which should be disabled in the PHP configuration file. Let’s check out the functions that should be disabled in the php configuration file right away on your web server.

Following is a list of dangerous php functions:

apache_child_terminate
apache_setenv
define_syslog_variables
escapeshellarg
escapeshellcmd
eval
exec
fp
fput
ftp_connect
ftp_exec
ftp_get
ftp_login
ftp_nb_fput
ftp_put
ftp_raw
ftp_rawlist
highlight_file
ini_alter
ini_get_all
ini_restore
inject_code
mysql_pconnect
openlog
passthru
php_uname
phpAds_remoteInfo
phpAds_XmlRpc
phpAds_xmlrpcDecode
phpAds_xmlrpcEncode
popen
posix_getpwuid
posix_kill
posix_mkfifo
posix_setpgid
posix_setsid
posix_setuid
posix_setuid
posix_uname
proc_close
proc_get_status
proc_nice
proc_open
proc_terminate
shell_exec
syslog
system
xmlrpc_entity_decode

On the cPanel servers where PHP handler is configured to use DSO, PHP runs under nobody ownership. This may become a security hole and create major issue if you have given 777 permission. The 777 permission enables the “nobody” user to read, write and execute the file. So, its better to be careful with the permissions.

It is always recommended to set the permission to 755, so that no one can edit or change the files. The PHPsuexec function disallows the php scripts to run as 777 permissions and the files cannot be read as well. This function should always be enable for ensuring the maximum security.

PHP functions such as “exec” and “system” are always used to execute the external programs. Even a shell command can also be executed. If these two functions are enabled then a user can enter any command as input and execute into your server. The user can also delete all of your data simply by giving “rm -rf *” command. Even the user can enter any command simply by using (;) in the argument area. Thus, it is better to disable the “exec” and “system” functions in your php.ini configuration file.

Enter the following command in ssh to find your php.ini file:

root@server [~]# php -i | grep php.ini

Mostly, you will get it in the /etc/php.ini directory or you may also get in /usr/local/lib/php.ini

Enter the following command to edit the file using your favorite editor. I have used VI editor here:

root@server [~]# vi /etc/php.ini

Search for the following text “disable_functions” in the php.ini file.

disable_functions: is a directive used to disable the insecure php functions.

Once you find the “disable_functions” directive in the configuration file, modify the disable_functions=”” as shown below:

disable_functions = “apache_child_terminate, apache_setenv, define_syslog_variables, escapeshellarg, escapeshellcmd, eval, exec, fp, fput, ftp_connect, ftp_exec, ftp_get, ftp_login, ftp_nb_fput, ftp_put, ftp_raw, ftp_rawlist, highlight_file, ini_alter, ini_get_all, ini_restore, inject_code, mysql_pconnect, openlog, passthru, php_uname, phpAds_remoteInfo, phpAds_XmlRpc, phpAds_xmlrpcDecode, phpAds_xmlrpcEncode, popen, posix_getpwuid, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, posix_setuid, posix_uname, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, syslog, system, xmlrpc_entity_decode”

The above mentioned changes can be applied on both Linux as well as Windows servers.

Once you modify the php.ini configuration file, you will need to restart the Apache web server on Linux server and IIS web server on Windows server for changes to take effect.

After disabling the above dangerous php functions, you may encounter a problem with your web applications. For example: when you disable the “shell_exec” and visit Fantastico in the cPanel, you may see the below error:

Warning: shell_exec() has been disabled for security reasons in /tmp/cpanel_phpengine.*.* on line *

In this case, you should run the following from SSH:

/scripts/makecpphp

The above command will install a copy of PHP to use with the cPanel/WHM backend and its addons like Fantastico.

Like this post ?

Share on your Social Networking Profile ( Facebook, Twitter & Google+ ) and get a flat 10% Recurring discount on our VPS Hosting and Dedicated Servers.

Email us the shared link at : sales@eukhost.com or speak to our live chat operator now, by clicking on the “Live Chat” Scroller on the left-hand side of this page and we will provide you with the discount Coupon right away!

Be Sociable, Share!

Mac Wilson

Mac Wilson is a technology writer and a Sales and Marketing Executive at eUKhost Ltd. He loves to write about latest technologies and trends just like cloud computing which are changing the way people do business.

To know more about our services and solutions, kindly visit eUKhost's Official Website.

Comments

comments

Industry News Web Hosting , , ,

Related Posts

4 Comments

  1. driver taylor made r11 golf drivers along with the list continues on 2v | acupuncture and more, 1 year ago

    [...] cleaning furniture, though,burner taylor made,g25 ピン ゴルフドライバーは、おそらく確かである 1d, make sure you spot test first for color fastness using a handheld steamer using a small place this [...]

  2. louboutin schuhe salechristian louboutin être le meilleur jeu en raison d | Articles Worldwide, 1 year ago

    [...] Je ne pouvais pas accepter,christian louboutin online shop, c’est aussi vrai. Tempêtes maman à dos, criant le chemin complet à propos précisément comment Vous devez partir , pas de menaces, pas de menaces. J’ai essayé d’apaiser la fille vers le bas et expliquer que nous ne pouvons être trouvés dans des produits entrées par conséquent, il n’a pas «ajouter à revoir s’ils ne peuvent pas se tenir derrière la qualité du café,chaussures louboutin pas cher-louboutin shoes die internatio. [...]

  3. louboutin pas cher *, 1 year ago

    [...] phones 9500 Thunder, Blackberry 9500, 9500 Mastery, Enterprise Cell phone Related articles: Dangerous PHP Functions Must be Disabled | PHP Hosting http://christianradionewsroom.org/ou…hp/2012/09/01/ [...]

  4. christian louboutin pas cher louis vuttion handbags garantie besonderheit | | wedding blog | Travel blog | | Xincha9zXincha9z, 1 year ago

    [...] bisschen Edelmetall, sollte es einen Stempel Platte mit einem Unentschieden Angabe 925 zu genießen,louis vuitton handbags – louis vuttion bags viacom sechsten. Im Falle das Stück erscheint ebenso wie es nicht enthält 925-Markierung durch Sterling Silber [...]


Post Your Comment

You must be logged in to post a comment.