Jump to content

Dangerous Php Functions Enabled


Recommended Posts

Posted

If you are using shared hosting, contact your hosting provider and request they disable the following PHP functions on your website:

exec system passthru popen proc_open shell_exec

 

Otherwise, if you are self-hosted, go into your php.ini configuration and add them to the disable_functions directive.

Posted

They are not needed by IPS and it is very rare that they would be needed by anything third-party (the only type of script that I can think of that has an acceptable reason to use them is ffmpeg/video conversion based scripts). It's not likely Wordpress should need them either, but I cannot offer any guarantees for the Wordpress.

Posted
Quote

but I cannot offer any guarantees for the Wordpress.

Well I can guarantee you that they are not needed for Wordpress. We have a servers with several Wordpress installations on them and even more disabled functions to improve server security. The only script I know (in the past) that did needed on of those things enabled was Centovacast or the other one.

This is what we got disabled:

system,popen,shell_exec,exec,dl,passthru,escapeshellarg,escapeshellcmd,proc_close,proc_open,show_source

IPS is running on that, Wordpress installations, PHPBB forum too, all work like a charm. So no need to worry about the few things IPS is asking to disable. Just disable them and be more secure.

Posted

I just want to quickly point out that the "Disable dangerous PHP functions" notice is merely a suggestion. Not doing so will not inhibit the functionality of Invision Community in any way. We're just letting you know that (1) we don't need those functions and (2) if you don't need them for some other reason (i.e. other software you are running), we recommend disabling them. The idea is that should a malicious user find some way in to your system, disabling those functions may help limit the damage that they end up doing. 

  • 2 weeks later...
Posted

Well it don't do much good to have my host disable them  I still get the warning....One of the main reasons I took the site down because I was afraid of a security risks to possible future members. Anyway to create a php.ini file to disable them? I don't know how to do it but if some one has an example I might be able to write one.

Posted

Unless your host supports custom php.ini configurations, no.

You'll have to contact them for assistance on that.

But please note what bfarber said above, it's just a good practice/suggestion, not a requirement.

Posted
25 minutes ago, Makoto said:

Unless your host supports custom php.ini configurations, no.

You'll have to contact them for assistance on that.

But please note what bfarber said above, it's just a good practice/suggestion, not a requirement.

Well I will re-install it and ignore the warnings and hope nothing happens.

  • 4 months later...
Posted

If you're on Godaddy shared hosting, just give them a call and they could assist you with such action, php.ini or php5.ini file is required in root of hosting folder, if you're hosted on other provider just give them a call and they will be more than happy to help I'm sure, very simple even if it doesn't sound like it, it's a small text file with command inside which looks like:

disable_functions= phpinfo, exec, shell_exec, system, passthru

Some useful links you might want to visit are : CHECK MY VERSION and GODADDY HELP WITH PHP.INI

(Next info is from some deep part of my brain that I can only recall scraps out of)

The version of php you're running would effect which version of this file you'll need, php.ini is for PHP 5.x onwards and php5.ini for lower version.

I could be slightly off but it's a start

Also, sometimes in cPanel you might use a ".user.ini" file, in most cases, you'll need to force stop the PHP processes running to allow the new file to take effect, in some cases after 5 minute or so the processes end automatically anyway so no user input needed.

 

ALSO SOME INFO FROM GODADDY:

 

What filename does my PHP initialization file need to use?

PHP initialization files can manage form, server, and environmental variables as well as server-side cookies, temporary directories, error display, and error logging. You can look at the directives these files can control in PHP's documentation.

The file name your PHP initialization must use depends on the type of hosting account you have (more info).

Type Filename Location (more info)
Web Hosting - Linux with PHP 5.6 (info) php56.ini Root of account (one per account)
Web Hosting - Windows with PHP 5.4 (info) .user.ini1 Root of account (one per account)
All Other Web Hosting php5.ini Root of account (one per account)
cPanel 2 .user.ini1 /public_html (one per account)
Plesk .user.ini1 Website root (one per website)
Managed WordPress .user.ini1,3 /html (one per website)

If you don't see the file that you need listed in your hosting account, you will need to create a file with the filename listed above for your hosting type. If changes to your PHP initialization file are not taking effect, we have troubleshooting steps available here.

Web Hosting accounts running Windows with IIS 6 do not support PHP and therefore do not support PHP initialization files.

1 .user.ini files do not let you modify all of the same settings as php.ini files (php's documentation) and are only compatible with PHP versions 5.4 and above (Web & Classic / cPanel / Plesk).

2 When using cPanel, you can also modify the php.ini file when selecting which php version you are using by clicking Switch To PHP Options. For more information, see View or change your PHP version in cPanel hosting.

3 Managed WordPress accounts also support using php.ini files, but because of the difficulty in refreshing them when they're updated, we recommend using .user.inifiles instead.

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...