logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> How-to's & Documentation & Tips View previous topic :: View next topic
Reply to topic   Topic: Tip: disable_functions in PHP
Author
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 3092
Location: Hilversum, NL, EU

PostPosted: Sat 18 Feb '06 20:08    Post subject: Tip: disable_functions in PHP Reply with quote

A lot of you know it already, but still I want to share;

Today a Apache users reported to me that users with upload facility where able to excute windows commands.

They uploaded a script and could execute for example:

<
shell_exec('c:/del *.*')
>

It is advised to put in your php.ini:

disable_functions "phpinfo,dir,readfile,shell_exec,exec,virtual,passthru,
proc_close,proc_get_status,proc_open,proc_terminate,system"

With this setting users cannot execute windows commands. Note that also phpinfo is in the list, to prevent that users can see your php configuration.


Steffen
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg

PostPosted: Sun 19 Feb '06 15:02    Post subject: Reply with quote

For security it is more safe to set a open_basedir to the webroot. So you can use all function even exec but only in webroot.
Back to top
NthDegree



Joined: 14 Mar 2006
Posts: 14

PostPosted: Thu 20 Apr '06 1:38    Post subject: Partitioning! Reply with quote

Repartition the HDD to have all the server bits in one partition.

Then block all access to drive C using NTFS permissions!

That tactic even stops directory traversal vulnerabilities from being of any real use.

Also, another nice tip is to use safe_mode_exec_dir to allow exec family of functions to run only in the directory needed!
Back to top


Reply to topic   Topic: Tip: disable_functions in PHP View previous topic :: View next topic
Post new topic   Forum Index -> How-to's & Documentation & Tips