The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Any security issue to active Curl_exec()

Discussion in 'Security' started by hackboys, Nov 6, 2011.

  1. hackboys

    hackboys Active Member

    Joined:
    Feb 12, 2008
    Messages:
    31
    Likes Received:
    1
    Trophy Points:
    8
    Hello!

    one of my customers wanted to install a Script , he confronted Below Error :

    Warning: curl_exec() has been disabled for security reasons in /home/username/public_html/functions.php on line 0

    We have already installed CURL_Exec using Apache_update in cpanel but i think our technical has disabled the function in php.ini

    Anyway i want to know is there any security risk to enable Curl_exec() ? it could be dangerous ?

    Thank You
     
  2. srpurdy

    srpurdy Well-Known Member

    Joined:
    Jun 1, 2011
    Messages:
    101
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    It's not really a security risk, but it can be. It's just a matter of if you want to allow your users to use the CURL library and that function is needed for it. If your using php 5.3 you can use the path feature with suhosin so only that account can use it. If your concerned with it. But curl doesn't do anything that sockets can't do so disabling curl without disabling sockets seems a bit pointless. It can increase server load if a novice programmer uses these functions in a bad way so there is a legit reason to not enable them by default.

    It can be a security risk if for example a novice uses the library in an improper way.

    For example: Creating a dynamic Restful API is much more secure than having an xml file saved and this file being accessed via curl_exec. If that file gets attacked it can be loading something bad on any site using it. Where if you have a dynamic restful api the risk is much smaller.
     
    #2 srpurdy, Nov 7, 2011
    Last edited: Nov 7, 2011
  3. anton_latvia

    anton_latvia Well-Known Member
    PartnerNOC

    Joined:
    May 11, 2004
    Messages:
    348
    Likes Received:
    3
    Trophy Points:
    18
    Location:
    Latvia
    cPanel Access Level:
    Root Administrator
    IMHO it is better to allow using CURL, instead of direct remote file opening - allow_url_fopen must always be "off".
     
Loading...

Share This Page