eWebtricity
08-24-2005, 01:10 AM
Php by nature is unfortunatly very insecure by default. There are many ways to help make it more secure for a shared hosting enviroment by running modules like mod_security. Another way to do this is by disabling the actual functions that many of these exploits call on. This can be done by simply editing the php.ini and restarting apache. Though you should not have any trouble with the disabled functions if webpages do start to have problems you can always add the function back. Most times you will get an error on a webpage that will tell you exactly which is causing the problem.
First we need to locate the php.ini file.
locate php.ini
For Plesk the correct file is /etc/php.ini. Go ahead and open the php.ini file.
pico -w /etc/php.ini
Scroll down until you see "disabled_functions" ;. Go ahead and comment the line out with a ";" and replace it with the following:
disable_functions = "system,exec"
Though not for everybody you can also take a more extreme step and disable even more php functions. In a shared hosting enviroment this may be too much but it is worth a try. If a user complains of trouble with a photo gallery make sure they are using GD and not imagemagik. If they are using GD they can manipulate images via php, imagemagik requires running external commands. Only add the following if you are sure of what you are doing! If you have any trouble simply remove them and restart apache. Here are the commands that may work for you:
disable_functions = "exec,system,passthru,readfile,shell_exec,escapeshe llarg,escapeshellcmd,proc_close,proc_open,ini_alte r,dl,popen,parse_ini_file,show_source,curl_exec"
Now go ahead save and restart apache. To change what is disabled simply remove the function that you want to be running. In my opinion the most important functions to keep disabled are the system and exec functions as they tend to cause the most problems and are used for many php exploits.
Source: http://www.eth0.us
First we need to locate the php.ini file.
locate php.ini
For Plesk the correct file is /etc/php.ini. Go ahead and open the php.ini file.
pico -w /etc/php.ini
Scroll down until you see "disabled_functions" ;. Go ahead and comment the line out with a ";" and replace it with the following:
disable_functions = "system,exec"
Though not for everybody you can also take a more extreme step and disable even more php functions. In a shared hosting enviroment this may be too much but it is worth a try. If a user complains of trouble with a photo gallery make sure they are using GD and not imagemagik. If they are using GD they can manipulate images via php, imagemagik requires running external commands. Only add the following if you are sure of what you are doing! If you have any trouble simply remove them and restart apache. Here are the commands that may work for you:
disable_functions = "exec,system,passthru,readfile,shell_exec,escapeshe llarg,escapeshellcmd,proc_close,proc_open,ini_alte r,dl,popen,parse_ini_file,show_source,curl_exec"
Now go ahead save and restart apache. To change what is disabled simply remove the function that you want to be running. In my opinion the most important functions to keep disabled are the system and exec functions as they tend to cause the most problems and are used for many php exploits.
Source: http://www.eth0.us