Jump to content


Photo

disable_functions doesn't work?

disable_functions

  • Please log in to reply
4 replies to this topic

#1 kenw232

kenw232

    Newbie

  • Members
  • Pip
  • 8 posts

Posted 13 January 2013 - 09:30 PM

I have a virtualhost with disable_functions defined as:
<VirtualHost x.x.x.x>
php_admin_value disable_functions system,passthru,exec,popen,proc_close,proc_open,shell_exec
</VirtualHost>

But this PHP code still works:
<html>
<?
$sCMD = `/bin/cat /tmp/test.txt`;
echo $sCMD;
?>
</html>

The contents of test.txt is still read and echoed out. Am I missing something?

I'm running PHP 5.3.16 on Linux 2.4.

#2 DavidAM

DavidAM

    Advanced Member

  • Gurus
  • 1,972 posts
  • LocationSpring, TX USA

Posted 13 January 2013 - 09:50 PM

Is PHP being run as a loaded module or as CGI? As I understand it, settings in the Apache config files (including .htaccess) only work when PHP is being run as a module. Otherwise, you have to put the settings in the php.ini file.
-- I haven't lost my mind, it's backed up on tape ... somewhere!

#3 kicken

kicken

    Wiser? Not exactly.

  • Gurus
  • 2,641 posts
  • LocationBonita, FL

Posted 13 January 2013 - 10:26 PM

disable_functions string
This directive allows you to disable certain functions for security reasons. It takes on a comma-delimited list of function names. disable_functions is not affected by Safe Mode.

Only internal functions can be disabled using this directive. User-defined functions are unaffected.

This directive must be set in php.ini For example, you cannot set this in httpd.conf.


Recycle your old CD's, don't trash them!
Did I help you out?  Feeling generous? I accept tips via Paypal or Bitcoin @ 14mDxaob8Jgdg52scDbvf3uaeR61tB2yC7

#4 kenw232

kenw232

    Newbie

  • Members
  • Pip
  • 8 posts

Posted 13 January 2013 - 10:56 PM

This directive must be set in php.ini For example, you cannot set this in httpd.conf.


Thanks. I should read more. But this means its server wide, I cannot disable some functions for some Virtualhosts and not others correct? Doesn't that make it unrealistic?

#5 kenw232

kenw232

    Newbie

  • Members
  • Pip
  • 8 posts

Posted 13 January 2013 - 11:13 PM

I kind of found out what to do here:
http://www.webhostin...ad.php?t=623944




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Cheap Linux VPS from $5
SSD Storage, 30 day Guarantee
1 TB of BW, 100% Network Uptime

AlphaBit.com