Home

PHP Security

Posted April 2nd, 2005 by eth00

Php by nature is unfortunatly very insecure by default. There are many ways to help make it more secure for a shared hosting enviroment by running modules like mod_security. Another way to do this is by disabling the actual functions that many of these exploits call on. This can be done by simply editing the php.ini and restarting apache. Though you should not have any trouble with the disabled functions if webpages do start to have problems you can always add the function back. Most times you will get an error on a webpage that will tell you exactly which is causing the problem.

Updated August 9th to include even more php functions to disable.


First we need to locate the php.ini file.
-----command-----
locate php.ini
-----command-----

For cPanel the correct file is /usr/local/lib/php.ini. The standard location for most other servers is /etc/php.ini. Go ahead and open the php.ini file.

-----command-----
pico -w /etc/php.ini
-----command-----

or for cPanel
-----command-----
pico -w /usr/local/lib/php.ini
-----command-----

Scroll down until you see "disabled_functions" ;. Go ahead and comment the line out with a ";" and replace it with the following:

disable_functions = "system,exec"

Though not for everybody you can also take a more extreme step and disable even more php functions. In a shared hosting enviroment this may be too much but it is worth a try. If a user complains of trouble with a photo gallery make sure they are using GD and not imagemagik. If they are using GD they can manipulate images via php, imagemagik requires running external commands. Only add the following if you are sure of what you are doing! If you have any trouble simply remove them and restart apache. Here are the commands that may work for you:

disable_functions = "exec,system,passthru,readfile,shell_exec,escapeshellarg,escapeshellcmd,proc_close,proc_open,ini_alter,dl,popen,parse_ini_file,show_source,curl_exec"

Now go ahead save and restart apache. To change what is disabled simply remove the function that you want to be running. In my opinion the most important functions to keep disabled are the system and exec functions as they tend to cause the most problems and are used for many php exploits.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

more functions on php of

On July 22nd, 2005 alexandre says:

more functions on php of file execution:

system
passthru
exec
escapeshellcmd
popen
pcntl_exec

thanks !!!

php open_basedir

On July 22nd, 2005 alexandre says:

users can access files (out of your web root) on server via PHP, to block this, add to all < VirtualHost > of domains:

< IfModule mod_php4.c / >
php_admin_value open_basedir "/home/USER/public_html:/home/USER:/usr/lib/php:/usr/local/lib/php:/tmp"
< /IfModule >

remember to change the "/home/USER/" to HOME of USER and "/home/USER/public_html" to USER-WEBROOT

regards !!

Cpanel scripts.

On November 12th, 2005 swapnil_mankar1 says:

I am new to this. Please provide details about cpanel scripts.

RE: cpanel scripst

On November 12th, 2005 eth00 says:

I am not sure what you are talking about. If you want basic information about cpanel I would suggest looking around the web there is a lot of information and that is not what my site focuses on.

cpanel scripst

On November 13th, 2005 swapnil_mankar1 says:

I apologize. I want information about the scripts those being used in cpanel like (/scripts/runweblogs ).

apache

On December 30th, 2005 tariehk says:

Hi,

I need certain functions turned on for some domains, but I want it turned off for some, can this be done through apache?

Apach

On December 30th, 2005 eth00 says:

Yes and no, if you wanted to you could use the allow override and use an .htaccess to get the rest of the functions enabled for a domain.

PHP safe mod

On June 19th, 2006 alias says:

Any one now how to secure this PHP safe mode Bypass. last week i got lot of phpshell that over come safemode. if any one can me help i will really appretiate it.

http://www.securityfocus.com/archive/1/435194

Thanks
Alias

Effort is important, but knowing where to make an effort in your life makes all the difference.

no news i think all people

On June 20th, 2006 alias says:

no news i think all people sleeping ???

?? check your server they are hacking your servers also

Effort is important, but knowing where to make an effort in your life makes all the difference.

php

On June 20th, 2006 eth00 says:

For that particular thing looks like the best thing woudl be to disable curl. Hopefully you have your system hardened so that even if they gain a shell they cannot do anything.

This is my php.ini

On July 4th, 2006 alias says:

This is my php.ini "disable_functions "
disable_functions = dl,exec,shell_exec,system,passthru,popen,pclose,proc_open,proc_nice,proc_terminate,proc_get_status,proc_close,pfsockopen,leak,apache_child_terminate,posix_kill,posix_mkfifo,posix_setpgid,posix_setsid,posix_setuid,escapeshellcmd,escapeshellarg,copy,tempnam,phpinfo

Comments most welcome....

Effort is important, but knowing where to make an effort in your life makes all the difference.

php.ini

On July 5th, 2006 eth00 says:

That is perfectly fine. Ideally you will disable as much as possible, most shared hosts just need so many functions enabled it is not possible to be that strict, if you can more power to you.

In regards to your php

On August 22nd, 2006 JesusVirtuoso says:

In regards to your php setting:

disable_functions = "exec,system,passthru,readfile,shell_exec,escapeshellarg,escapeshellcmd,proc_close,proc_open,ini_alter,dl,popen,parse_ini_file,show_source,curl_exec"

Could you please clarify the *best* suggest solution above (modified?) for this kind of environment

cpanel shared/reseller
fantastico
imagemagick
phpsuexec
all local services (database,mail,web,dns)

Thank you.

Talk Jesus Forums & Live Chat!
www.talkjesus.com

Powered by Drupal - Theme created by Danger4k