Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: Tip: disable_functions in PHP |
|
| Author |
|
Steffen
Moderator
Joined: 15 Oct 2005
Posts: 3053
Location: Hilversum, NL, EU
|
 Posted: Sat 18 Feb '06 20:08 Post subject: Tip: disable_functions in PHP |
 |
|
A lot of you know it already, but still I want to share;
Today a Apache users reported to me that users with upload facility where able to excute windows commands.
They uploaded a script and could execute for example:
<
shell_exec('c:/del *.*')
>
It is advised to put in your php.ini:
disable_functions "phpinfo,dir,readfile,shell_exec,exec,virtual,passthru,
proc_close,proc_get_status,proc_open,proc_terminate,system"
With this setting users cannot execute windows commands. Note that also phpinfo is in the list, to prevent that users can see your php configuration.
Steffen |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7294
Location: Germany, Next to Hamburg
|
| Posted: Sun 19 Feb '06 15:02 Post subject: |
|
|
| For security it is more safe to set a open_basedir to the webroot. So you can use all function even exec but only in webroot. |
|
| Back to top |
|
NthDegree
Joined: 14 Mar 2006
Posts: 14
|
| Posted: Thu 20 Apr '06 1:38 Post subject: Partitioning! |
|
|
Repartition the HDD to have all the server bits in one partition.
Then block all access to drive C using NTFS permissions!
That tactic even stops directory traversal vulnerabilities from being of any real use.
Also, another nice tip is to use safe_mode_exec_dir to allow exec family of functions to run only in the directory needed! |
|
| Back to top |
|
|
|
|
|
|
