How dangerous is eval() and is there a way to enable it on one account?

L

Liam W

Active Member
Jul 8, 2012
33
0
6
UK
cPanel Access Level
Root Administrator
Twitter
So, I have been reading through the internet and most sites agree that the eval() php function is very dangerous.

So, my question is this:

Just how dangerous is the eval() function? What makes it so dangerous?

My second question is this:

Is there a way to give a WHM account it's own private php installation? The reason I ask is that vBulletin requires the eval() command, so I cannot globally disable it however it looks as if it would be a good idea to have it disabled.

What do you all think?
 
cPanelKenneth

cPanelKenneth

cPanel Development
Staff member
Apr 7, 2006
4,607
80
458
cPanel Access Level
Root Administrator
The eval function, regardless of language, in itself is not dangerous. The danger comes from how it is used. Eval functions are often used to create an executable portion of the application that is not known when the application is written or executed.

For example an eval could be used to load the appropriate module, or sub-system, based upon choices made during application usage. This use allows the application to consume less memory when running because it is only loading what is needed.

What often happens, though, is the information passed to the eval function contains data that was supplied by, or able to be modified by, the user. Applications should never trust user data until it is passed through proper sanitization methods. If the user supplied data is inadequately sanitized prior to being used by the eval function, then it is possible for a malicious user to do unintended things.
 
L

Liam W

Active Member
Jul 8, 2012
33
0
6
UK
cPanel Access Level
Root Administrator
Twitter
cpanelkenneth said:
The eval function, regardless of language, in itself is not dangerous. The danger comes from how it is used. Eval functions are often used to create an executable portion of the application that is not known when the application is written or executed.

For example an eval could be used to load the appropriate module, or sub-system, based upon choices made during application usage. This use allows the application to consume less memory when running because it is only loading what is needed.

What often happens, though, is the information passed to the eval function contains data that was supplied by, or able to be modified by, the user. Applications should never trust user data until it is passed through proper sanitization methods. If the user supplied data is inadequately sanitized prior to being used by the eval function, then it is possible for a malicious user to do unintended things.
Click to expand...
Thanks for that, bit easier to understand now :)
 
You must log in or register to reply here.
Thread starter Similar threads Forum Replies Date
M New very dangerous security bug/feature in cpanel filter function Security 1
L WHM Displays Dangerous Warning Security 2
C My server got attacked on the "smtp", is it dangerous? Security 10
L How to protect from this so so so so dangerous perl script! Security 2
K Is it already dangerous keeping php 5.2.17 on Production Security 1
Similar threads
New very dangerous security bug/feature in cpanel filter function
WHM Displays Dangerous Warning
My server got attacked on the "smtp", is it dangerous?
How to protect from this so so so so dangerous perl script!
Is it already dangerous keeping php 5.2.17 on Production
Top Bottom