The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Disable some variable for securtiy reason

Discussion in 'Security' started by whm-expert, Feb 22, 2013.

  1. whm-expert

    whm-expert Active Member

    Joined:
    Nov 10, 2012
    Messages:
    40
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    DataCenter Provider
    hello
    is there any way i can disable some php variable from work in my server?
    like ($SERVER_SOFTWARE, $curls, $safe_mode)
    because i dont want our client to know this result for these standard variable.

    i disable some function in php.ini, and i want to disable some variable
     
  2. cPanelJared

    cPanelJared Technical Analyst
    Staff Member

    Joined:
    Feb 25, 2010
    Messages:
    1,842
    Likes Received:
    18
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    It appears that you also submitted a ticket, 3785707, with this question.

    The items you mentioned are PHP environment variables, and it does not appear to be possible to disable then. In theory, you could disable the getenv function:

    PHP: getenv - Manual

    However, that is probably a bad idea because that is probably going to break scripts that need to use that function that you do not want to break.

    What, exactly, are you hoping to accomplish by disabling PHP environment variables?
     
  3. whm-expert

    whm-expert Active Member

    Joined:
    Nov 10, 2012
    Messages:
    40
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    DataCenter Provider
    Hello Jared
    thank you for your reply, there is some website was hacked in my server by using php shell c99. i know this from log file,
    when i visit the shell file i can see some details about my server like, cpu, php version, disk space, and all them are PHP environment variables, there i want to disable it so the hacker can not know any thing about my server via shell

    for example i want to disable this variable
    echo "Operating System:: ";
    echo $SERVER_SOFTWARE;
    echo "<br>"
     
    #3 whm-expert, Feb 26, 2013
    Last edited: Feb 26, 2013
  4. cPanelJared

    cPanelJared Technical Analyst
    Staff Member

    Joined:
    Feb 25, 2010
    Messages:
    1,842
    Likes Received:
    18
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    The real problem is likely that you have vulnerable code somewhere on a site you host that allows remote code execution. Even if you do disable some environment variables, as long as you have code that allows a perpetrator to upload code and execute it remotely, this kind of activity will continue to happen. A better approach, though not easy, is to audit the scripts you are hosting and look for scripts that can be exploited for uploading and executing code. Trying to disable environment variables is addressing a symptom, not the problem.

    Without addressing this factor and making sure that the sites you host cannot be exploited to upload code and execute it, this will likely continue to happen, no matter what other measures you apply.
     
  5. whm-expert

    whm-expert Active Member

    Joined:
    Nov 10, 2012
    Messages:
    40
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    DataCenter Provider
    details.jpg

    please check the attached image, i want to disable the variable so the php shell not display these details
     
  6. quietFinn

    quietFinn Well-Known Member

    Joined:
    Feb 4, 2006
    Messages:
    998
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    Finland
    cPanel Access Level:
    Root Administrator
    You are barking up the wrong tree.

    What you are trying to do will break your PHP and it is not going to stop the hackers.
     
    cPanelJared likes this.
  7. cPanelJared

    cPanelJared Technical Analyst
    Staff Member

    Joined:
    Feb 25, 2010
    Messages:
    1,842
    Likes Received:
    18
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    I understand exactly what you want to do. I understood it without needing the screenshot.

    However, I do not understand why you are trying to approach the problem this way.

    As I already explained in my previous post, you are trying to address a symptom of a problem, not fix the actual problem. If a c99 shell was uploaded, it was probably not because an attacker was able to get information about the PHP configuration from environment variables. The real problem, the one you are not addressing, is that somehow, some way, you have a vulnerability that allowed an attacker to upload and execute malicious code.

    That vulnerability will still be there, whether or not the environment variables are accessible.

    The way you are trying to address this is simply not possible, without modifying and recompiling PHP, and even if you did so, it would break legitimate scripts that need to access those environment variables, and your server would still be vulnerable to exploitation.

    You would get the worst of two situations: your clients' legitimate scripts not working, and your server still being exploited.

    You need to look at the real problem, as I said in my previous post, which is that an attacker can upload and execute malicious code. That is the actual problem. That is going to continue to happen, whether or not scripts can get information about the PHP environment, until you audit the scripts you host to find what is allowing the malicious code to be uploaded and executed.
     
Loading...

Share This Page