Jump to content
Sign in to follow this  
keat

PHP functions

Recommended Posts

Security advisor on my server suggests:

You should consider disabling commonly abused php functions, e.g.:
disable_functions = show_source, system, shell_exec, passthru, exec, popen, proc_open
Some client web scripts may break with some of these functions disabled, so you may have to remove them from this list:

 

Are all these safe to remove as far as Cubecart V6 goes.

Share this post


Link to post
Share on other sites

security checks

Request to delete this : exec, system, passthru, popen, proc_open, shell_exec

I didn't delete anything because I don't know how to do it

 

Share this post


Link to post
Share on other sites

CubeCart core code does not use those PHP functions. However, it is unknown (to me) whether any third-party modules - especially code that has been ionCube encoded or otherwise obfuscated - use these functions.

Share this post


Link to post
Share on other sites

There is no CubeCart function or third party module that use these functions - they should all be disabled as they are a MAJOR security risk

Share this post


Link to post
Share on other sites

PHP documentation warns of the eval() function being dangerous. Actually, I have found statements in the Smarty template system that use PHP's eval().

Share this post


Link to post
Share on other sites

Some are more dangerous than others in that list and all have some legitimate use.  Much depends on whether the server is dedicated or shared with multiple users and how good the rest of the server security is

Share this post


Link to post
Share on other sites
9 hours ago, fabriceunko said:

hello, silly question but how do we do it?

 

As far as I'm aware, this has to be done at server level using php ini editor, and adding the line

' disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open '

Whether or not one can do this at a user level, I'm not sure. ??

 

As for creating dangerous functions.

I guess when PHP was being developed, these functions were not considered dangerous, but over the years, as software develops, and hackers learn of work arounds and vulnerabilities, software becomes less safe.

Windows 7 a prime example.

Incidentally, these functions are not CubeCart functions, these are PHP server software functions.

 

I disabled these in my PHP. ini, and up to press I've seen no problems with functionality.

Edited by keat

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

×
×
  • Create New...