Jump to content

Dangerous PHP Functions Enabled


julnil

Recommended Posts

I have a nice message in my dashboard.

Dangerous PHP Functions Enabled

We recommend disabling the following functions on your server, or at least in the directory that your community is installed in. If you do not manage your server yourself, your hosting provider will be able to assist with this.
exec, system, pcntl_exec, popen, proc_open, shell_exec

It's after the big upgrade.. Should i add something to a file or remove some files or just leave it...?

Link to comment
Share on other sites

The vast majority of self-managed hosting plans have little or no security hardening done to them. The fact that your dashboard is showing the PHP functions being enabled is a good indication that your hosting environment requires attention if you want to protect your site from hackers.  In order to "really" address security  you will need access to the underlying operating system.  IPB could have provided a how-to on how to disable the dangerous PHP functions but there are other security issues we all should address and this is meant to be a wake-up call to take security more seriously.  If we can't figure out how to harden our websites ourselves we need to engage someone who has an expertise in that area. 

Link to comment
Share on other sites

1 hour ago, EquiForum2012 said:

I have a nice message in my dashboard.

Dangerous PHP Functions Enabled

We recommend disabling the following functions on your server, or at least in the directory that your community is installed in. If you do not manage your server yourself, your hosting provider will be able to assist with this.
exec, system, pcntl_exec, popen, proc_open, shell_exec

It's after the big upgrade.. Should i add something to a file or remove some files or just leave it...?

Assuming you are using a shared hosting platform, we recommend contacting your webhost to request that those functions be disabled for extra security precaution.

Link to comment
Share on other sites

On 5/11/2018 at 2:39 PM, bfarber said:

Assuming you are using a shared hosting platform, we recommend contacting your webhost to request that those functions be disabled for extra security precaution.

I disabeld the mentioned functions on my own server, but I asked myself, are there any disadavantages for that? Something is not or will not running in future... ?

Link to comment
Share on other sites

Is there a way to permanently suppress this message? disable_functions is not a proper security boundary and if an attacker achieves the RCE necessary where disable_functions would be relevant, they can do plenty even without access to those functions. I have proper security measures in place at layers below the PHP interpreter, and this warning is superfluous for me. I can keep suppressing it every time it pops up in the Admin CP, but I'd really like a way to just make the message go away for good.

Link to comment
Share on other sites

IPS has an ips4.php script you can download that will check if you are ready to use IPS Community Suite 4.x   Maybe IPS could strip the security checks from the ACP and create a security-audit.php file that people could choose to download from the marketplace to audit their website..  IPB could modify the ips4.php script and the forum install script to advertise the existence of the security-audiit.php file and highlight the benefits of running it.  The security screening is mandatory at this point in time.  If IPB made the suggested change it becomes opt-in.  It appears that an opt-in approach to things is gaining popularity these days. 

Link to comment
Share on other sites

On 5/12/2018 at 7:28 AM, Archimed said:

Shared hosting plateform will never disabled those functions. You need to be on a dedicated server to do that.

Wrong. My host made changes for me and instructed me how to change those myself via php.ini. Only crappy hosts won't bother.

Link to comment
Share on other sites

6 hours ago, hmikko said:

@RObiN-HoOD If yours is empty, just add:

 


[PHP]
; Disable Functions
disable_functions                               = "exec,popen,proc_open,shell_exec,system"

 

I would just like to point out that popen (and proc_open?) might be required for installing Pecl extensions via WHM. 

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...