Ok, how dangerous is shell_exec really?

jols · Sep 11, 2007

Apparently Fantastico can not un-install a package if shell_exec is switched off.

No we do not phpsuexec installed.

Yes, we do have open_basedir restrictions enabled, along with many other security features.

Should I be concerned about switching on shell_exec just so our Fantastico users can do their un-installs?

jols · Sep 12, 2007

Anyone? Any thoughts?

chirpy · Sep 12, 2007

It's up to you to judge the benefits against the disadvantages. Turning the function off helps protect vulnerably/poorly coded PHP web scripts installed on the server, especially in a non-phpsuexec/suphp environment. The advantage of not disabling it is that fantastico functions. If you'd prefer to leave it disabled, I'd suggest lobbying netenberg.com to code their removal scripts using php functions instead of relying on shell.

mrprez · Oct 16, 2007

Another advantage is that users will be more likely to remove unwanted scripts rather than leaving them sit there not being used or updated. This to me causes more security issues than having shell_exec activated.

brianoz · Oct 20, 2007

Isn't it possible to switch on shell_exec just for Fantastico?

Regardless I wouldn't allow shell_exec() without suphp or phpsuexec (but then I wouldn't allow PHP without suphp or phpsuexec!).

jols · Oct 21, 2007

brianoz said: ↑

Isn't it possible to switch on shell_exec just for Fantastico?
Click to expand...

I only wish this were the case.

Netenberg says that you must switch shell_exec on for the entire server just so Fantastico can un-install packages. IMO this is by far the worst thing about Fantastico.

brianoz · Oct 21, 2007

That sounds like a generic answer, I'd want to dig further. As far as I know the version of PHP that runs for WHM is a different binary? Maybe it runs as mod_php? If so, you could use a .htaccess file and php_flag settings to enable shell_exec. If not, you could probably add a php.ini file somewhere else.

verdon · Oct 21, 2007

or just avoid fantastico altogether

Infopro · Oct 21, 2007

jols said: ↑

I only wish this were the case.

Netenberg says that you must switch shell_exec on for the entire server just so Fantastico can un-install packages. IMO this is by far the worst thing about Fantastico.
Click to expand...

Well, that's not exactly what they said to you.

http://www.netenberg.com/forum/index.php?topic=6132.0

Can you enable phpsuexec? Is this an option?
Click to expand...

or use suphp.

without one of those enabled, fantasico cannot reliably remove scripts that it has installed. If you wish to leave the exec feature disabled, you should be prepared to help your users manually remove scripts when they are done with them.

Regards,
Click to expand...

Either suggestion sound like sound ideas to me.

And I agree with MaraBlue in that thread. No problems here to speak of. (so far to date)

Forums

The Community Forums

Interact with an entire community of cPanel & WHM users!

Ok, how dangerous is shell_exec really?

jols Well-Known Member

jols Well-Known Member

chirpy Well-Known Member

mrprez Well-Known Member

brianoz Well-Known Member

jols Well-Known Member

brianoz Well-Known Member

verdon Well-Known Member

Infopro cPanel Sr. Product Evangelist
Staff Member

Attachments: Filter messages with dangerous attachments

Is it possible to whitelist command/programs to be used by shell_exec?

shell_exec not working

Share This Page

Useful Searches

The Community Forums

Interact with an entire community of cPanel & WHM users!

Ok, how dangerous is shell_exec really?

jols Well-Known Member

jols Well-Known Member

chirpy Well-Known Member

mrprez Well-Known Member

brianoz Well-Known Member

jols Well-Known Member

brianoz Well-Known Member

verdon Well-Known Member

Infopro cPanel Sr. Product Evangelist Staff Member

Attachments: Filter messages with dangerous attachments

Is it possible to whitelist command/programs to be used by shell_exec?

shell_exec not working

Share This Page

Infopro cPanel Sr. Product Evangelist
Staff Member