Q. I run a small Apache based webserver for my personal use and it is shared with friends and family. However, most script kiddie try to exploit php application such as wordpress using exec() , passthru() , shell_exec() , system() etc functions. How do I disable these functions to improve my php script security?
A. PHP has a lot of functions which can be used to crack your server if not used properly. You can set list of functions in php.ini using disable_functions directive. This directive allows you to disable certain functions for security reasons. It takes on a comma-delimited list of function names. disable_functions is not affected by Safe Mode. This directive must be set in php.ini For example, you cannot set this in httpd.conf.
Open php.ini file:
# vi /etc/php.ini
Find disable_functions and set new list as follows:
disable_functions =exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source
Save and close the file. Restart httpd:
# service httpd restart
Further readings:
Featured Articles:
- 20 Linux System Monitoring Tools Every SysAdmin Should Know
- 20 Linux Server Hardening Security Tips
- My 10 UNIX Command Line Mistakes
- Linux: 20 Iptables Examples For New SysAdmins
- 25 PHP Security Best Practices For Sys Admins
- The Novice Guide To Buying A Linux Laptop
- 10 Greatest Open Source Software Of 2009
- Top 5 Email Client For Linux, Mac OS X, and Windows Users
- Top 20 OpenSSH Server Best Security Practices
- Top 10 Open Source Web-Based Project Management Software
- Top 5 Linux Video Editor Software
Facebook it - Tweet it - Print it -
{ 11 comments… read them below or add one }
This is not enought because you can always use “`” that will bypass these limitation.
I guess if you really need those functions, you can overwrite the configuration using ini_set function in your script to enable them for a particular site.
Davide you are wrong “`” using shell_exec function so if we disable shell_exec then “`” will be disabled too
Why is “parse_ini_file” disabled?
You should make sure the user cannot override the setting using .htaccess or custom php.ini
show_source is an alias of highlight_file.
Why would you disable this function?
You can read the contents of a file with readfile() or file_get_contents :/
readfile() and file_get_contents() functions are subject to the open_basedir restriction.
Obviously you should set the open_basedir php setting to your docroot, so the scripts won’t be able to read files above docroot in your file system!
if i create a custom php.ini file, it would overwrite disable_functions directive, so this is useless.
how can you overcome that???
“ubuntu lover”: Either you want to disable those functions or not. If you want you have to change php.ini: overwrite disable_functions and set a new list or modify the existing one. I’m not sure you think it makes it useless. Only the server admin can do that and he will only disable the functions he wants, editing that list.
Also Eric says: “if you really need those functions, you can overwrite the configuration using ini_set function in your script to enable them for a particular site.” But again you can do that only on the server side.
this functions easily bypassed with cgi telnet perl script!
So what’s the solution? To disable telnet?