I have a virtualhost with disable_functions defined as:
<VirtualHost x.x.x.x>
php_admin_value disable_functions system,passthru,exec,popen,proc_close,proc_open,shell_exec
</VirtualHost>
But this PHP code still works:
<html>
<?
$sCMD = `/bin/cat /tmp/test.txt`;
echo $sCMD;
?>
</html>
The contents of test.txt is still read and echoed out. Am I missing something?
I'm running PHP 5.3.16 on Linux 2.4.
4 replies to this topic
#2
DavidAM
-
- Gurus
-
- 1,727 posts
Advanced Member
- LocationSpring, TX USA
Posted 13 January 2013 - 09:50 PM
Is PHP being run as a loaded module or as CGI? As I understand it, settings in the Apache config files (including .htaccess) only work when PHP is being run as a module. Otherwise, you have to put the settings in the php.ini file.
-- I haven't lost my mind, it's backed up on tape ... somewhere!
#3
kicken
-
- Gurus
-
- 1,672 posts
Wiser? Not exactly.
- LocationBonita, FL
Posted 13 January 2013 - 10:26 PM
disable_functions string
This directive allows you to disable certain functions for security reasons. It takes on a comma-delimited list of function names. disable_functions is not affected by Safe Mode.
Only internal functions can be disabled using this directive. User-defined functions are unaffected.
This directive must be set in php.ini For example, you cannot set this in httpd.conf.
Recycle your old CD's, don't trash them!
Did I help you out? Feeling generous? I accept tips via Paypal or Bitcoin @ 14mDxaob8Jgdg52scDbvf3uaeR61tB2yC7
Did I help you out? Feeling generous? I accept tips via Paypal or Bitcoin @ 14mDxaob8Jgdg52scDbvf3uaeR61tB2yC7
#4
kenw232
-
- New Members
-
- 5 posts
Newbie
Posted 13 January 2013 - 10:56 PM
This directive must be set in php.ini For example, you cannot set this in httpd.conf.
Thanks. I should read more. But this means its server wide, I cannot disable some functions for some Virtualhosts and not others correct? Doesn't that make it unrealistic?
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
