Dangerous PHP Functions Enabled

[marco2306]

Dangerous PHP Functions Enabled
Some functions are enabled on your server which have the potential to cause serious damage to your community or server. If you are in a shared hosting environment, some of these functions may bypass the restrictions which prevent one account on the server affecting another. Their presence also increases the amount of damage that could be caused if your AdminCP is compromised.

Since Invision Community, and most other web applications do not use these functions, we recommend disabling them on your server, at least within the directory that your community is installed in. You should contact your hosting provider or system administrator and ask them to be added to the disable_functions PHP setting.

exec system passthru popen proc_open shell_exec

I have this message ACP at Administrator Notifications.
What do I have to do to fix this?
I have no idea, even Google doesn't really have a solution for me.
I only have a web host and no server.

thank you

Best regards

[Andrey S]

Hi if you have a hosting lease then go to the folder php-bin-php7xx, there is a file php. ini here is an example content

[ISPmgr]
date.timezone = 'Europe/Moscow'
magic_quotes_gpc = Off
mail.log = "/var/www/u0000000/data/mail. log"
max_execution_time = 300
max_input_vars = 100000
memory_limit = 1024M
pcre.recursion_limit = 14000
post_max_size = 256M
realpath_cache_size = 32M
session.save_path = "/var/www/u0000000/data/bin-tmp/"
upload_max_filesize = 256M
display_errors = Off
disable_functions = exec,system,passthru,pcntl_exec,popen,proc_open,shell_exec 

what I highlighted in bold should be added to the php.ini file

[marco2306]

I don't have access to php.ini.
Can you do that via htaccess?

[Davyc]

8 minutes ago, marco2306 said:

I don't have access to php.ini.
Can you do that via htaccess?

You create a php.ini file and upload it to your server; I've attached the php.ini file that I used so you can use that.  However, there is a caveat to this and it really depends on your host as to whether a single php.ini file is applied to all folders, if it's not then you will need to upload the php.ini file to all folders for it to be fully effective.  I used a copy-file-to-multiple-folders script to do this for me before I uploaded all the IPS files to the server; even using that is only partially effective, so you may want to ask your host if the php.ini is recursive.

php.ini

[opentype]

Ask you host and tell them you want to set the mentioned “disable_functions = exec,system,passthru,pcntl_exec,popen,proc_open,shell_exec”.

They will tell you how to do it or do it for you. There is no one way that works everywhere. 

[Davyc]

1 minute ago, opentype said:

Ask you host and tell them you want to set the mentioned “disable_functions = exec,system,passthru,pcntl_exec,popen,proc_open,shell_exec”.

They will tell you how to do it or do it for you. There is no one way that works everywhere. 

I asked my host to do this for me but they were unable to do this and suggested using the php.ini method; it was something to do with the way their servers are set up and some other users on the server may require some or all of those extensions - I actually found this quite strange as if they are designated as dangerous you would assume they would be disabled by default.  @marco2306 can ask, but because he's using shared hosting he may be directed to using the php.ini file.  My own host, Ionos, are less than helpful in these instances so I had to figure it out for myself.  Some hosts are more accommodating but always be prepared for being disappointed.

The other problem is whether the php.ini file is recursive or not and if not then that php.ini file needs to be in every folder - and there are a LOT of them lol 🙂

 

[marco2306]

Thanks for the help I got here.
That with php.ini didn't work.
I will write to my provider.

[Davyc]

Just now, marco2306 said:

That with php.ini didn't work.

If you just uploaded to the root directory and nothing changed then the php.ini file is not recursive - so, if your provider can't help you need to add the php.ini file to all folders, that is a monumental pain but a penalty we have to pay for using shared hosting; if you're like me, and can't afford your own server or not savvy or brave enough to use a VPS (like me lol), then shared is all that's left available and we have to move mountains to get these functions disabled properly lol.

[marco2306]

Let's see what the provider says about it.
They are really trying hard to satisfy the customer.

[marco2306]

Answer from support:

You use PHP as CGI / FPM for your domains. This PHP variant is executed under your FTP user and is therefore already restricted to your account at user level. Therefore, the commands mentioned do not pose any risk and are therefore activated. Deactivation would be for the entire server and is therefore not possible in shared server tariffs.

[Jim M]

This warning in your ACP is a strong recommendation as these functions can be dangerous but our software can run without issue with them enabled. This is merely a recommendation to strengthen the security of your server as our software (and others) does not utilize these dangerous functions (as mentioned in the warning). If you are on a shared server, you may not have complete control over the server as indicated by your hosting provider. This would be something you would want to research if you want the capability to better secure your server or stick with your provider.

[marco2306]

Thanks for the advice here.

[Davyc]

3 hours ago, marco2306 said:

You use PHP as CGI / FPM for your domains. This PHP variant is executed under your FTP user and is therefore already restricted to your account at user level. Therefore, the commands mentioned do not pose any risk and are therefore activated. Deactivation would be for the entire server and is therefore not possible in shared server tariffs.

This is a stock reply that most shared hosts send out because any changes they make affect the whole server which may (that is a big 'may') affect other users on the server; however they have to allow for those who 'may' use them.  If you copy the php.ini file I posted into your admin directory and the warning goes away, then you can use the php.ini file in all folders.  A word of warning, putting the php.ini file solely in the admin folder is not recommended as that just removes the warning and will not give the added protection to all folders that the system will access in use.

Your alternative to copying the php.ini file to all folders (providing it works on the server your site is on) would be to change your hosting to a VPS or dedicated server where you have root access and then you can make those changes unrestricted. It is a minefield out there for VPS servers (dedicated are expensive) as to who offers the most reliable hosting.  Good luck in your endeavours and I hope that you can get this sorted.

[lazzarus]

Easy way without getting down and dirty with the php.ini file is on the server admin. Im using DirectAdmin, and probably similar options in cPanel and Plesk:
scroll down to 'advanced features' > click 'select PHP version' > 'options' > paste the following in the 'disable functions' input:

exec,system,passthru,pcntl_exec,popen,proc_open,shell_exec 

 

 

[marco2306]

Unfortunately, I don't have this option.
I can change the PHP version in the URL.

[KPDub]

On 6/23/2020 at 10:08 AM, marco2306 said:

Unfortunately, I don't have this option.
I can change the PHP version in the URL.

Don't know if you are having this problem still.  I'm using shared hosting, I had only edited the php.ini file in my installation folder - but then when I changed the PHP version to 7.4 the errors disappeard in the ACP