The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Enabling passthru in php.ini - is it safe?

Discussion in 'General Discussion' started by Metro2, Mar 27, 2007.

  1. Metro2

    Metro2 Well-Known Member

    Joined:
    May 24, 2006
    Messages:
    376
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    For some reason on one of my servers, certain parts of Coppermine Gallery using ImageMagick will not work properly unless I enable "passthru()" in php.ini

    However, since passthru is normally set in "disable_functions" by default, presumably as a security measure, how safe or unsafe is it to enable it?

    Thanks for your opinions.
     
  2. xerophyte

    xerophyte Well-Known Member

    Joined:
    Mar 16, 2003
    Messages:
    216
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    passthru — Execute an external program and display raw output

    if you enable it, your users can run programs using passthru, and if there is a insecure script on the server which use the passthru. Hackers might able to use that for their advantage.

    hope that helps
     
  3. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    It is preferable to compile PHP with direct ImageMagick support instead of
    using passthru() to call the external "convert" program from PHP script code

    I generally don't recommend enabling passthru() as it can be a big security risk
     
  4. Metro2

    Metro2 Well-Known Member

    Joined:
    May 24, 2006
    Messages:
    376
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    Thanks for the replies! As far as I know this server did have PHP directly compiled with ImageMagick, and it does work with most functions in scripts like Coppermine. There are just small/odd issues. For example - if a customer creates a Coppermine gallery on this box and set it to use ImageMagick instead of GD, everything on the gallery appears functional except when they choose the Bulk Upload option from FTP, which will then not show the initial imported thumbnails of pics. If they upload via HTTP using the browse buttons in the gallery, it works fine. The permissions are set correctly on the upload folders, so I'm kind of baffled here. Also, bulk upload with FTP works fine if they switch to GD instead of ImageMagick in their Coppermine config. I guess I'm going to need to look into further assistance with this.
    Thanks again!
     
  5. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    What you just described is a file ownership issue!

    When files are uploaded by the FTP, they take the account login as the owner name ...

    When files are uploaded by HTTP, they take the user "nobody" as the owner name ...


    If you install phpSuExec (or SuPHP) then both FTP and HTTP upload will use
    the account login name as the file owner name and this issue will cease
    being a problem for you.

    Otherwise, you need to make the uploaded files globally writable so that the
    program can use them irregardless of file owner name.
     
Loading...

Share This Page