logo
Apache Lounge
Webmasters

 


About

Forum Index Downloads Search Register Log in  RSS Apache Lounge
 



Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Apache Lounge is not sponsored.

Your donations will help to keep this site alive and well, and continuing building binaries.



Tip: disable_functions in PHP

 
Post new topic   Reply to topic    Apache Forum Index -> How-to's & Documentation & Tips



View previous topic :: View next topic  
Author Message
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 2581
Location: Hilversum, NL, EU

PostPosted: Sat 18 Feb '06 20:08    Post subject: Tip: disable_functions in PHP Reply with quote

A lot of you know it already, but still I want to share;

Today a Apache users reported to me that users with upload facility where able to excute windows commands.

They uploaded a script and could execute for example:

<
shell_exec('c:/del *.*')
>

It is advised to put in your php.ini:

disable_functions "phpinfo,dir,readfile,shell_exec,exec,virtual,passthru,
proc_close,proc_get_status,proc_open,proc_terminate,system"

With this setting users cannot execute windows commands. Note that also phpinfo is in the list, to prevent that users can see your php configuration.


Steffen
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 6255
Location: Germany, Next to Hamburg

PostPosted: Sun 19 Feb '06 15:02    Post subject: Reply with quote

For security it is more safe to set a open_basedir to the webroot. So you can use all function even exec but only in webroot.
Back to top
NthDegree



Joined: 14 Mar 2006
Posts: 14

PostPosted: Thu 20 Apr '06 1:38    Post subject: Partitioning! Reply with quote

Repartition the HDD to have all the server bits in one partition.

Then block all access to drive C using NTFS permissions!

That tactic even stops directory traversal vulnerabilities from being of any real use.

Also, another nice tip is to use safe_mode_exec_dir to allow exec family of functions to run only in the directory needed!
Back to top


Post new topic   Reply to topic    Apache Forum Index -> How-to's & Documentation & Tips
Page 1 of 1