Invision Community 4: SEO, prepare for v5 and dormant account notifications Matt November 11, 2024Nov 11
Posted May 11, 20186 yr I have a nice message in my dashboard. Dangerous PHP Functions Enabled We recommend disabling the following functions on your server, or at least in the directory that your community is installed in. If you do not manage your server yourself, your hosting provider will be able to assist with this. exec, system, pcntl_exec, popen, proc_open, shell_exec It's after the big upgrade.. Should i add something to a file or remove some files or just leave it...?
May 11, 20186 yr The vast majority of self-managed hosting plans have little or no security hardening done to them. The fact that your dashboard is showing the PHP functions being enabled is a good indication that your hosting environment requires attention if you want to protect your site from hackers. In order to "really" address security you will need access to the underlying operating system. IPB could have provided a how-to on how to disable the dangerous PHP functions but there are other security issues we all should address and this is meant to be a wake-up call to take security more seriously. If we can't figure out how to harden our websites ourselves we need to engage someone who has an expertise in that area.
May 11, 20186 yr 1 hour ago, EquiForum2012 said: I have a nice message in my dashboard. Dangerous PHP Functions Enabled We recommend disabling the following functions on your server, or at least in the directory that your community is installed in. If you do not manage your server yourself, your hosting provider will be able to assist with this. exec, system, pcntl_exec, popen, proc_open, shell_exec It's after the big upgrade.. Should i add something to a file or remove some files or just leave it...? Assuming you are using a shared hosting platform, we recommend contacting your webhost to request that those functions be disabled for extra security precaution.
May 12, 20186 yr Shared hosting plateform will never disabled those functions. You need to be on a dedicated server to do that.
May 14, 20186 yr On 5/11/2018 at 2:39 PM, bfarber said: Assuming you are using a shared hosting platform, we recommend contacting your webhost to request that those functions be disabled for extra security precaution. I disabeld the mentioned functions on my own server, but I asked myself, are there any disadavantages for that? Something is not or will not running in future... ?
May 15, 20186 yr The functions in question we do not use and won't use. We cannot speak for other software.
May 18, 20186 yr Is there a way to permanently suppress this message? disable_functions is not a proper security boundary and if an attacker achieves the RCE necessary where disable_functions would be relevant, they can do plenty even without access to those functions. I have proper security measures in place at layers below the PHP interpreter, and this warning is superfluous for me. I can keep suppressing it every time it pops up in the Admin CP, but I'd really like a way to just make the message go away for good.
May 18, 20186 yr IPS has an ips4.php script you can download that will check if you are ready to use IPS Community Suite 4.x Maybe IPS could strip the security checks from the ACP and create a security-audit.php file that people could choose to download from the marketplace to audit their website.. IPB could modify the ips4.php script and the forum install script to advertise the existence of the security-audiit.php file and highlight the benefits of running it. The security screening is mandatory at this point in time. If IPB made the suggested change it becomes opt-in. It appears that an opt-in approach to things is gaining popularity these days.
May 20, 20186 yr I added the following line to my config file and the message went away. ini_set('display_errors', 'Off');
May 21, 20186 yr On 5/12/2018 at 7:28 AM, Archimed said: Shared hosting plateform will never disabled those functions. You need to be on a dedicated server to do that. Wrong. My host made changes for me and instructed me how to change those myself via php.ini. Only crappy hosts won't bother.
May 22, 20186 yr Happy for you. 99% of shared hosting plateform will never disabled those functions. What do you say now ?
May 22, 20186 yr On 5/21/2018 at 2:42 PM, hmikko said: Wrong. My host made changes for me and instructed me how to change those myself via php.ini. Only crappy hosts won't bother. Can you share this php.ini file?
May 22, 20186 yr @RObiN-HoOD If yours is empty, just add: [PHP] ; Disable Functions disable_functions = "exec,popen,proc_open,shell_exec,system"
May 23, 20186 yr 6 hours ago, hmikko said: @RObiN-HoOD If yours is empty, just add: [PHP] ; Disable Functions disable_functions = "exec,popen,proc_open,shell_exec,system" I would just like to point out that popen (and proc_open?) might be required for installing Pecl extensions via WHM.
Archived
This topic is now archived and is closed to further replies.