keat Posted January 23, 2020 Share Posted January 23, 2020 Security advisor on my server suggests: You should consider disabling commonly abused php functions, e.g.: disable_functions = show_source, system, shell_exec, passthru, exec, popen, proc_open Some client web scripts may break with some of these functions disabled, so you may have to remove them from this list: Are all these safe to remove as far as Cubecart V6 goes. Link to comment Share on other sites More sharing options...
fabriceunko Posted January 23, 2020 Share Posted January 23, 2020 security checks Request to delete this : exec, system, passthru, popen, proc_open, shell_exec I didn't delete anything because I don't know how to do it Link to comment Share on other sites More sharing options...
bsmither Posted January 23, 2020 Share Posted January 23, 2020 CubeCart core code does not use those PHP functions. However, it is unknown (to me) whether any third-party modules - especially code that has been ionCube encoded or otherwise obfuscated - use these functions. Link to comment Share on other sites More sharing options...
havenswift-hosting Posted January 24, 2020 Share Posted January 24, 2020 There is no CubeCart function or third party module that use these functions - they should all be disabled as they are a MAJOR security risk Link to comment Share on other sites More sharing options...
fabriceunko Posted January 24, 2020 Share Posted January 24, 2020 hello, silly question but how do we do it? Link to comment Share on other sites More sharing options...
bsmither Posted January 24, 2020 Share Posted January 24, 2020 Anywhere in the PHP.INI file, add the directive. Then restart PHP (or the web server, whatever). https://www.php.net/manual/en/ini.core.php#ini.disable-functions If you do not have access to the main PHP.INI file, then please consult your hosting provider. Link to comment Share on other sites More sharing options...
bsmither Posted January 24, 2020 Share Posted January 24, 2020 PHP documentation warns of the eval() function being dangerous. Actually, I have found statements in the Smarty template system that use PHP's eval(). Link to comment Share on other sites More sharing options...
fabriceunko Posted January 24, 2020 Share Posted January 24, 2020 I'm sure you don't have the answer but why did you create a dangerous function? Better not do it right? Link to comment Share on other sites More sharing options...
havenswift-hosting Posted January 24, 2020 Share Posted January 24, 2020 Some are more dangerous than others in that list and all have some legitimate use. Much depends on whether the server is dedicated or shared with multiple users and how good the rest of the server security is Link to comment Share on other sites More sharing options...
keat Posted January 24, 2020 Author Share Posted January 24, 2020 9 hours ago, fabriceunko said: hello, silly question but how do we do it? As far as I'm aware, this has to be done at server level using php ini editor, and adding the line ' disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open ' Whether or not one can do this at a user level, I'm not sure. ?? As for creating dangerous functions. I guess when PHP was being developed, these functions were not considered dangerous, but over the years, as software develops, and hackers learn of work arounds and vulnerabilities, software becomes less safe. Windows 7 a prime example. Incidentally, these functions are not CubeCart functions, these are PHP server software functions. I disabled these in my PHP. ini, and up to press I've seen no problems with functionality. Link to comment Share on other sites More sharing options...
vidmarc Posted October 10, 2020 Share Posted October 10, 2020 My current php.ini file links to the ioncube loader. How do I add the commands required to disable the dangerous php functions? Will this work? zend_extension = /htdocs/ioncube/ioncube_loader_lin_7.2.so disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open Link to comment Share on other sites More sharing options...
vidmarc Posted October 10, 2020 Share Posted October 10, 2020 It seems to have worked Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.