Dangerous PHP Functions Enabled Fix?

[JacobM]

New install on a shared hosting plan via BlueHost. I have access to the php.ini through the cPanel MultiPHP INI Editor for the domain and have checked that, but still getting this error. More than likely something I am doing wrong; however, I'd like to fix the issue. Error is:

MultiPHP INI Editor has the following:

; cPanel-generated php ini directives, do not edit
; Manual editing of this file may result in unexpected behavior.
; To make changes to this file, use the cPanel MultiPHP INI Editor (Home >> Software >> MultiPHP INI Editor)
; For more information, read our documentation (https://go.cpanel.net/EA4ModifyINI)

disable_functions = exec,passthru,shell_exec,system,proc_open,popen,pcntl_exec

 

[Randy Calvert]

I don't believe disable_functions is available via the user side of the cPanel MultiPHP INI.  

https://features.cpanel.net/topic/add-disable_functions-to-multiphp-ini-editor-basic-mode

https://serverok.in/php-disable_functions-php-fpm-cpanel (this is in reverse of what you what, but shoes it's not a user level activity, but instead a server level function meaning WHM or admin level SSH is needed)

You might need to make the request to your host to disable this for you potentially if they're willing to do it.  

[Pescao6]

You can add them under cPanel -> PHP Selector -> Options

Your host can also help you doing this if you send them a ticket.

[Marc Stridgen]

I will move this to advanced hosting support, as this is an issue you need to resolve with your host, rather than with our software here.

[SeNioR-]

If you can edit php.ini, add:

[PHP]
expose_php = Off
disable_functions = "exec,system,passthru,shell_exec,escapeshellarg,escapeshellcmd,proc_close,proc_open,dl,popen,show_source,pcntl_exec"

 

Edited February 7, 2022 by SeNioR-

[Randy Calvert]

11 minutes ago, SeNioR- said:

If you can edit php.ini, add:

[PHP]
expose_php = Off
disable_functions = "exec,system,passthru,shell_exec,escapeshellarg,escapeshellcmd,proc_close,proc_open,dl,popen,show_source,pcntl_exec"

 

The OP is on a shared hosting plan so this I don’t believe would be directly accessible to them. 

[IveLeft...]

Quite often with shared hosting - no matter what you do to disable dangerous PHP commands, it still doesnt work and more often than not the host isn't willing or able to disable these as its affects all customers on the shared environment.

[SeNioR-]

2 hours ago, Randy Calvert said:

The OP is on a shared hosting plan so this I don’t believe would be directly accessible to them. 

You'd be surprised because many shared hostings, allows to edit php.ini 😉 

Edited February 7, 2022 by SeNioR-

[Randy Calvert]

27 minutes ago, SeNioR- said:

You'd be surprised because many shared hostings, allows to edit php.ini 😉 

Wow… in that case I would find a new shared host. That’s scary based on the power that file contains!!

I could do a lot of damage with the various directives on direct editing of that file!

[Sledge FTB]

18 minutes ago, Randy Calvert said:

in that case I would find a new shared host. That’s scary based on the power that file contains!!

Not necessary. A a lot of shared hostings are running in boxed/virtual environments. For example if the kernel is running on CloudLinux with proper use of CageFS. In such case you can't affect other users on the server with your php.ini and/or any of those "dangerous" PHP functions (or, more important, the other users on the server can't affect you with those ).

[JacobM]

Thanks, all. I appear to have access to the php.ini file, so I did as @SeNioR- instructed and added that code. If that doesn't work I'll go the route of asking my host to assist in disabling those features.

Edited February 8, 2022 by JacobM

[JacobM]

So far I haven't seen this error pop back up, so I think that was the solution. Thanks, gentlemen!