With the ConfigServer Security & Firewall plugin a check on basic security, stability and settings can be performed.
The check php for disable_functions advices the following:
You should modify the PHP configuration and disable commonly abused php functions, e.g.:
disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open, allow_url_fopen
Some client web scripts may break with some of these functions disabled, so you may have to remove them from this list
However, I performed a scan on the usage of these PHP functions and they are all used in the default WHM/cPanel installation. This means they cannot be disabled. For example, I personally encountered an install issue in WHM with the activation of "PHP Extensions and Applications Package" (PEAR) because I disabled the popen function according to the above advice.
So, my advice is to be very careful with this CSF advice (incl. the set_ini advice).
Use the following commands to check for the usage of these insecure PHP functions by cPanel PHP files:
The check php for disable_functions advices the following:
You should modify the PHP configuration and disable commonly abused php functions, e.g.:
disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open, allow_url_fopen
Some client web scripts may break with some of these functions disabled, so you may have to remove them from this list
However, I performed a scan on the usage of these PHP functions and they are all used in the default WHM/cPanel installation. This means they cannot be disabled. For example, I personally encountered an install issue in WHM with the activation of "PHP Extensions and Applications Package" (PEAR) because I disabled the popen function according to the above advice.
So, my advice is to be very careful with this CSF advice (incl. the set_ini advice).
Use the following commands to check for the usage of these insecure PHP functions by cPanel PHP files:
Code:
find / -type f -name "*.php" -print0 | xargs -0 grep -l show_source
find / -type f -name "*.php" -print0 | xargs -0 grep -l system
find / -type f -name "*.php" -print0 | xargs -0 grep -l shell_exec
find / -type f -name "*.php" -print0 | xargs -0 grep -l passthru
find / -type f -name "*.php" -print0 | xargs -0 grep -l exec
find / -type f -name "*.php" -print0 | xargs -0 grep -l phpinfo
find / -type f -name "*.php" -print0 | xargs -0 grep -l popen
find / -type f -name "*.php" -print0 | xargs -0 grep -l proc_open
find / -type f -name "*.php" -print0 | xargs -0 grep -l allow_url_fopen
find / -type f -name "*.php" -print0 | xargs -0 grep -l ini_set
