The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

PHP disable_functions vs. CSF

Discussion in 'Security' started by XenomediaBV, Mar 6, 2013.

  1. XenomediaBV

    XenomediaBV Well-Known Member

    Joined:
    Sep 3, 2009
    Messages:
    60
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    The Netherlands
    cPanel Access Level:
    Root Administrator
    With the ConfigServer Security & Firewall plugin a check on basic security, stability and settings can be performed.

    The check php for disable_functions advices the following:
    You should modify the PHP configuration and disable commonly abused php functions, e.g.:
    disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open, allow_url_fopen
    Some client web scripts may break with some of these functions disabled, so you may have to remove them from this list


    However, I performed a scan on the usage of these PHP functions and they are all used in the default WHM/cPanel installation. This means they cannot be disabled. For example, I personally encountered an install issue in WHM with the activation of "PHP Extensions and Applications Package" (PEAR) because I disabled the popen function according to the above advice.

    So, my advice is to be very careful with this CSF advice (incl. the set_ini advice).

    Use the following commands to check for the usage of these insecure PHP functions by cPanel PHP files:

    Code:
    find / -type f -name "*.php" -print0 | xargs -0 grep -l show_source
    find / -type f -name "*.php" -print0 | xargs -0 grep -l system
    find / -type f -name "*.php" -print0 | xargs -0 grep -l shell_exec
    find / -type f -name "*.php" -print0 | xargs -0 grep -l passthru
    find / -type f -name "*.php" -print0 | xargs -0 grep -l exec
    find / -type f -name "*.php" -print0 | xargs -0 grep -l phpinfo
    find / -type f -name "*.php" -print0 | xargs -0 grep -l popen
    find / -type f -name "*.php" -print0 | xargs -0 grep -l proc_open
    find / -type f -name "*.php" -print0 | xargs -0 grep -l allow_url_fopen
    find / -type f -name "*.php" -print0 | xargs -0 grep -l ini_set
     
  2. elialum

    elialum Member

    Joined:
    Sep 10, 2008
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Israel
    cPanel Access Level:
    DataCenter Provider
    Hi,

    The CSF security test refers to the main php (/usr/local/bin/php) that used by all the users in the server.
    Cpanel is using its own internal php, you shouldn't be worried about that.

    Eli.
     
  3. XenomediaBV

    XenomediaBV Well-Known Member

    Joined:
    Sep 3, 2009
    Messages:
    60
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    The Netherlands
    cPanel Access Level:
    Root Administrator
    True. So that is a relief for most of the usage. But the PEAR installer in WHM will activate PEAR for the public PHP on cPanel systems and this uses the popen function which will break if popen is disabled. So, there is still some attention needed with this option.
     
Loading...

Share This Page