Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Ok, how dangerous is shell_exec really?

Discussion in 'General Discussion' started by jols, Sep 11, 2007.

  1. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    3
    Trophy Points:
    168
    Apparently Fantastico can not un-install a package if shell_exec is switched off.

    No we do not phpsuexec installed.

    Yes, we do have open_basedir restrictions enabled, along with many other security features.


    Should I be concerned about switching on shell_exec just so our Fantastico users can do their un-installs?
     
    #1 jols, Sep 11, 2007
  2. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    3
    Trophy Points:
    168
    Anyone? Any thoughts?
     
    #2 jols, Sep 12, 2007
  3. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,460
    Likes Received:
    21
    Trophy Points:
    463
    Location:
    Go on, have a guess
    It's up to you to judge the benefits against the disadvantages. Turning the function off helps protect vulnerably/poorly coded PHP web scripts installed on the server, especially in a non-phpsuexec/suphp environment. The advantage of not disabling it is that fantastico functions. If you'd prefer to leave it disabled, I'd suggest lobbying netenberg.com to code their removal scripts using php functions instead of relying on shell.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #3 chirpy, Sep 12, 2007
  4. mrprez

    mrprez Well-Known Member

    Joined:
    Jun 14, 2002
    Messages:
    93
    Likes Received:
    0
    Trophy Points:
    166
    Another advantage is that users will be more likely to remove unwanted scripts rather than leaving them sit there not being used or updated. This to me causes more security issues than having shell_exec activated.
     
    #4 mrprez, Oct 16, 2007
  5. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    168
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    Isn't it possible to switch on shell_exec just for Fantastico?

    Regardless I wouldn't allow shell_exec() without suphp or phpsuexec (but then I wouldn't allow PHP without suphp or phpsuexec!).
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #5 brianoz, Oct 20, 2007
  6. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    3
    Trophy Points:
    168
    I only wish this were the case.

    Netenberg says that you must switch shell_exec on for the entire server just so Fantastico can un-install packages. IMO this is by far the worst thing about Fantastico.
     
    #6 jols, Oct 21, 2007
  7. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    168
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    That sounds like a generic answer, I'd want to dig further. As far as I know the version of PHP that runs for WHM is a different binary? Maybe it runs as mod_php? If so, you could use a .htaccess file and php_flag settings to enable shell_exec. If not, you could probably add a php.ini file somewhere else.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #7 brianoz, Oct 21, 2007
  8. verdon

    verdon Well-Known Member

    Joined:
    Nov 1, 2003
    Messages:
    870
    Likes Received:
    3
    Trophy Points:
    168
    Location:
    Northern Ontario, Canada
    cPanel Access Level:
    Root Administrator
    or just avoid fantastico altogether ;)
     
    #8 verdon, Oct 21, 2007
  9. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,352
    Likes Received:
    404
    Trophy Points:
    583
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Well, that's not exactly what they said to you.


    http://www.netenberg.com/forum/index.php?topic=6132.0



    Either suggestion sound like sound ideas to me.

    And I agree with MaraBlue in that thread. No problems here to speak of. (so far to date)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #9 Infopro, Oct 21, 2007
(You must log in or sign up to post here.)
Loading...
Similar Threads - dangerous shell_exec really
  1. Corey Kretsinger

    Pending Publication [CPANEL-20227] "Dangerous: Rejecting invalid log file" warning during transfer

    Corey Kretsinger, May 12, 2018, in forum: Data Protection
    Replies:
    4
    Views:
    516
    Corey Kretsinger
    May 16, 2018
  2. keat63

    Attachments: Filter messages with dangerous attachments

    keat63, Feb 23, 2017, in forum: E-mail Discussion
    Replies:
    5
    Views:
    2,426
    cPanelMichael
    Feb 28, 2017
  3. the_garg

    Habilitar shell_exec en una cuenta cPanel

    the_garg, Mar 15, 2018, in forum: Discusión en Español
    Replies:
    1
    Views:
    321
    cPanelMichael
    Mar 16, 2018
  4. VMunich

    Is it possible to whitelist command/programs to be used by shell_exec?

    VMunich, Jul 3, 2017, in forum: Security
    Replies:
    4
    Views:
    485
    quizknows
    Jul 4, 2017
  5. sathyasam

    shell_exec not working

    sathyasam, Oct 1, 2016, in forum: General Discussion
    Replies:
    1
    Views:
    905
    cPanelMichael
    Oct 6, 2016

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...
    Dismiss Notice