Invision Community 4: SEO, prepare for v5 and dormant account notifications By Matt Monday at 02:04 PM
julnil Posted May 11, 2018 Posted May 11, 2018 I have a nice message in my dashboard. Dangerous PHP Functions Enabled We recommend disabling the following functions on your server, or at least in the directory that your community is installed in. If you do not manage your server yourself, your hosting provider will be able to assist with this. exec, system, pcntl_exec, popen, proc_open, shell_exec It's after the big upgrade.. Should i add something to a file or remove some files or just leave it...?
Chris Anderson Posted May 11, 2018 Posted May 11, 2018 The vast majority of self-managed hosting plans have little or no security hardening done to them. The fact that your dashboard is showing the PHP functions being enabled is a good indication that your hosting environment requires attention if you want to protect your site from hackers. In order to "really" address security you will need access to the underlying operating system. IPB could have provided a how-to on how to disable the dangerous PHP functions but there are other security issues we all should address and this is meant to be a wake-up call to take security more seriously. If we can't figure out how to harden our websites ourselves we need to engage someone who has an expertise in that area.
bfarber Posted May 11, 2018 Posted May 11, 2018 1 hour ago, EquiForum2012 said: I have a nice message in my dashboard. Dangerous PHP Functions Enabled We recommend disabling the following functions on your server, or at least in the directory that your community is installed in. If you do not manage your server yourself, your hosting provider will be able to assist with this. exec, system, pcntl_exec, popen, proc_open, shell_exec It's after the big upgrade.. Should i add something to a file or remove some files or just leave it...? Assuming you are using a shared hosting platform, we recommend contacting your webhost to request that those functions be disabled for extra security precaution.
SoloInter Posted May 12, 2018 Posted May 12, 2018 Shared hosting plateform will never disabled those functions. You need to be on a dedicated server to do that.
steel51 Posted May 14, 2018 Posted May 14, 2018 On 5/11/2018 at 2:39 PM, bfarber said: Assuming you are using a shared hosting platform, we recommend contacting your webhost to request that those functions be disabled for extra security precaution. I disabeld the mentioned functions on my own server, but I asked myself, are there any disadavantages for that? Something is not or will not running in future... ?
bfarber Posted May 15, 2018 Posted May 15, 2018 The functions in question we do not use and won't use. We cannot speak for other software.
skizzerz Posted May 18, 2018 Posted May 18, 2018 Is there a way to permanently suppress this message? disable_functions is not a proper security boundary and if an attacker achieves the RCE necessary where disable_functions would be relevant, they can do plenty even without access to those functions. I have proper security measures in place at layers below the PHP interpreter, and this warning is superfluous for me. I can keep suppressing it every time it pops up in the Admin CP, but I'd really like a way to just make the message go away for good.
Chris Anderson Posted May 18, 2018 Posted May 18, 2018 IPS has an ips4.php script you can download that will check if you are ready to use IPS Community Suite 4.x Maybe IPS could strip the security checks from the ACP and create a security-audit.php file that people could choose to download from the marketplace to audit their website.. IPB could modify the ips4.php script and the forum install script to advertise the existence of the security-audiit.php file and highlight the benefits of running it. The security screening is mandatory at this point in time. If IPB made the suggested change it becomes opt-in. It appears that an opt-in approach to things is gaining popularity these days.
SJ77 Posted May 20, 2018 Posted May 20, 2018 I added the following line to my config file and the message went away. ini_set('display_errors', 'Off');
hmikko Posted May 21, 2018 Posted May 21, 2018 On 5/12/2018 at 7:28 AM, Archimed said: Shared hosting plateform will never disabled those functions. You need to be on a dedicated server to do that. Wrong. My host made changes for me and instructed me how to change those myself via php.ini. Only crappy hosts won't bother.
SoloInter Posted May 22, 2018 Posted May 22, 2018 Happy for you. 99% of shared hosting plateform will never disabled those functions. What do you say now ?
Kjell Iver Johansen Posted May 22, 2018 Posted May 22, 2018 My host fixed it for me also..I'm on shared too
RObiN-HoOD Posted May 22, 2018 Posted May 22, 2018 On 5/21/2018 at 2:42 PM, hmikko said: Wrong. My host made changes for me and instructed me how to change those myself via php.ini. Only crappy hosts won't bother. Can you share this php.ini file?
hmikko Posted May 22, 2018 Posted May 22, 2018 @RObiN-HoOD If yours is empty, just add: [PHP] ; Disable Functions disable_functions = "exec,popen,proc_open,shell_exec,system"
TDBF Posted May 23, 2018 Posted May 23, 2018 6 hours ago, hmikko said: @RObiN-HoOD If yours is empty, just add: [PHP] ; Disable Functions disable_functions = "exec,popen,proc_open,shell_exec,system" I would just like to point out that popen (and proc_open?) might be required for installing Pecl extensions via WHM.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.