php.ini in forums folder not being used (re Dangerous PHP Functions Enabled)

[Washerhelp]

My website runs both WordPress, and Invision forums. Both in their own folders.

Some time ago, I received the "Dangerous PHP Functions Enabled" warning from my dashboard. So I added the following PHP.ini file in my root folder -

disable_functions = "exec, system, pcntl_exec, popen, proc_open, shell_exec, passthru"

This solved the issue. However, whilst troubleshooting a WordPress issue yesterday, I was told by my hosting tech support that some WordPress plug-ins need the exec function, and indeed this particular issue was fixed by removing the "exec" section.

But the warning has now returned in my Invision forums dashboard. The warning states that, "we recommend disabling them on your server, at least within the directory that your community is installed in". So I went over to the forums directory only to discover that I already have a PHP.ini file there, and it is already saying the following -

display_errors = Off
disable_functions = "exec, system, pcntl_exec, popen, proc_open, shell_exec, passthru"
auto_prepend_file = none

So for some reason, Invision is not using the PHP.ini file it's "forums" folder. I can't help thinking that for some reason the PHP.ini file in the root is the only one being read and used. But if that is the case, what is the point in having a PHP.ini file inside a folder?

[Randy Calvert]

This is a hosting related issue and outside of the IPS software itself. However with that said, the recommendations are best practices. You don’t “have” to follow it. 

Personally any script/addon using exec is lazy coding and is asking to be exploited. But that’s for you to measure the risk v reward. 

[Washerhelp]

Many thanks for your reply Randy. I shall definitely bring that up with my hosting company, especially as it is actually their own cache plug-in that is the culprit.

Are you confirming that any PHP.ini file in a root folder will override any PHP.ini file inside of a subfolder?

I'm not sure how this all works, but are you saying that my hosting company has deliberately set it all up so that software running on it ignores PHP.INI files inside folders?

I'm wondering what would happen if I removed the PHP.ini file in the root folder, and had separate ones inside the WordPress, and Invision forums folder?

[Marc]

The answer to that question is, it depends on how your hosting is set up. These are questions that can only be answered for certain by your host

[Washerhelp]

Thanks Marc,  I thought all this stuff worked according to specific unchangeable rules? .htaccess files, PHP.ini files, HTML, CSS etc. I didn't realise that different hosting companies can change the rules. Or that they would possibly want to stop PHP.ini files being used by software running inside a folder?

[Randy Calvert]

They can disable custom php.ini entirely if they want. 🙂 

[Washerhelp]

Just now, Randy Calvert said:

They can disable custom php.ini entirely if they want. 🙂 

Wow, I suppose some might, but I'm pretty sure mine allows everything as it provides full php version control, and php.ini editors in the dashboard.

[Jim M]

3 minutes ago, Washerhelp said:

Wow, I suppose some might, but I'm pretty sure mine allows everything as it provides full php version control, and php.ini editors in the dashboard.

Something you'd want to ask your hosting provider and want to know how they handle custom php.ini's. Could be set just for the directory the custom php.ini is in, which would defeat the purpose of this recommendation. You would want this set throughout to help protect your server.

[Washerhelp]

Many thanks. I will quiz them about it.

[Washerhelp]

I've found out it was because I had what they called Ultrafast PHP enabled -

 

"Standard PHP vs Ultrafast PHP

Ultrafast PHP is up to 30% faster than the Standard PHP and while on it, all subdomains are inheriting the PHP settings of the main site. Standard PHP is slightly slower but allows for per instance PHP management."

Thanks for your help.

[Marc]

Glad to hear you found what you needed there 🙂