Home > Server Security Guides > Disabling Dangerous PHP Functions..

Disabling Dangerous PHP Functions..

October 7th, 2009
Goto comments Leave a comment

Have you ever wondered which PHP functions are termed to be highly
dangerous in web hosting & should promptly be left disabled in the
configuration ?

PHP is a powerful language which; when used in an improper way, either
unknowingly; carries the potential to mess up with a web hosting server &
hack/exploit user accounts further upto root level. Hackers using an
insecure PHP script as an entry point to a web hosting server can start
unleashing dangerous commands and take control over the complete server
quickly.. Certain functions which are used in such scripts are termed to
be dangerous & are turned off in the PHP configuration. Let’s find out
which functions are dangerous & how they are turned off..

Here’s a complete list of such functions which are needed to be stopped
from being executed within any website on your web hosting server:
Quote:

“apache_child_terminate, apache_setenv, define_syslog_variables,
escapeshellarg, escapeshellcmd, eval, exec, fp, fput, ftp_connect,
ftp_exec, ftp_get, ftp_login, ftp_nb_fput, ftp_put, ftp_raw, ftp_rawlist,
highlight_file, ini_alter, ini_get_all, ini_restore, inject_code,
mysql_pconnect, openlog, passthru, php_uname, phpAds_remoteInfo,
phpAds_XmlRpc, phpAds_xmlrpcDecode, phpAds_xmlrpcEncode, popen,
posix_getpwuid, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid,
posix_setuid, posix_setuid, posix_uname, proc_close, proc_get_status,
proc_nice, proc_open, proc_terminate, shell_exec, syslog, system,
xmlrpc_entity_decode”

Quote:

viĀ  /usr/local/lib/php.ini

disable_functions = “apache_child_terminate, apache_setenv,
define_syslog_variables, escapeshellarg, escapeshellcmd, eval, exec, fp,
fput, ftp_connect, ftp_exec, ftp_get, ftp_login, ftp_nb_fput, ftp_put,
ftp_raw, ftp_rawlist, highlight_file, ini_alter, ini_get_all, ini_restore,
inject_code, mysql_pconnect, openlog, passthru, php_uname,
phpAds_remoteInfo, phpAds_XmlRpc, phpAds_xmlrpcDecode,
phpAds_xmlrpcEncode, popen, posix_getpwuid, posix_kill, posix_mkfifo,
posix_setpgid, posix_setsid, posix_setuid, posix_setuid, posix_uname,
proc_close, proc_get_status, proc_nice, proc_open, proc_terminate,
shell_exec, syslog, system, xmlrpc_entity_decode, dl, myshellexec”

!wq

service httpd restart

That’s it

Server Security Guides

  1. No comments yet.
  1. No trackbacks yet.
You must be logged in to post a comment.