Disable some variable for securtiy reason

[whm-expert]

hello
is there any way i can disable some php variable from work in my server?
like ($SERVER_SOFTWARE, $curls, $safe_mode)
because i dont want our client to know this result for these standard variable.

i disable some function in php.ini, and i want to disable some variable

 

[JaredR.]

It appears that you also submitted a ticket, 3785707, with this question.

The items you mentioned are PHP environment variables, and it does not appear to be possible to disable then. In theory, you could disable the getenv function:

PHP: getenv - Manual

However, that is probably a bad idea because that is probably going to break scripts that need to use that function that you do not want to break.

What, exactly, are you hoping to accomplish by disabling PHP environment variables?

 

[whm-expert]

Hello Jared
thank you for your reply, there is some website was hacked in my server by using php shell c99. i know this from log file,
when i visit the shell file i can see some details about my server like, cpu, php version, disk space, and all them are PHP environment variables, there i want to disable it so the hacker can not know any thing about my server via shell

for example i want to disable this variable
echo "Operating System:: ";
echo $SERVER_SOFTWARE;
echo "<br>"

 

[JaredR.]

The real problem is likely that you have vulnerable code somewhere on a site you host that allows remote code execution. Even if you do disable some environment variables, as long as you have code that allows a perpetrator to upload code and execute it remotely, this kind of activity will continue to happen. A better approach, though not easy, is to audit the scripts you are hosting and look for scripts that can be exploited for uploading and executing code. Trying to disable environment variables is addressing a symptom, not the problem.

Without addressing this factor and making sure that the sites you host cannot be exploited to upload code and execute it, this will likely continue to happen, no matter what other measures you apply.

 

[whm-expert]

please check the attached image, i want to disable the variable so the php shell not display these details

 

[quietFinn]

You are barking up the wrong tree.

What you are trying to do will break your PHP and it is not going to stop the hackers.

 

[JaredR.]

I understand exactly what you want to do. I understood it without needing the screenshot.

However, I do not understand why you are trying to approach the problem this way.

As I already explained in my previous post, you are trying to address a symptom of a problem, not fix the actual problem. If a c99 shell was uploaded, it was probably not because an attacker was able to get information about the PHP configuration from environment variables. The real problem, the one you are not addressing, is that somehow, some way, you have a vulnerability that allowed an attacker to upload and execute malicious code.

That vulnerability will still be there, whether or not the environment variables are accessible.

The way you are trying to address this is simply not possible, without modifying and recompiling PHP, and even if you did so, it would break legitimate scripts that need to access those environment variables, and your server would still be vulnerable to exploitation.

You would get the worst of two situations: your clients' legitimate scripts not working, and your server still being exploited.

You need to look at the real problem, as I said in my previous post, which is that an attacker can upload and execute malicious code. That is the actual problem. That is going to continue to happen, whether or not scripts can get information about the PHP environment, until you audit the scripts you host to find what is allowing the malicious code to be uploaded and executed.