(dv):Disable PHP functions to improve security

  • This page was last modified on December 15, 2010, at 21:00.
The (mt) Community Wiki is a collaborative project. Any (mt) Media Temple customer or employee may contribute. Not all articles and/or content have been tested for accuracy by (mt) Media Temple.

For officially moderated and tested articles, be sure to visit our KnowledgeBase.

From (mt) Community Wiki

Contents

The majority of attacks on PHP-based websites center around a handful of PHP functions that are executed on the server by maliciously uploaded files. One way to help guard against these types of attacks is to disable certain functions from operating on your web server. This can be done by editing the php.ini file.

Important Information before proceeding

This is not supported by (mt) Media Temple and may break PHP applications.

All SSH file editing is taking place using the vi editor but if you want to use your own text editor on the server, go right ahead and substitute the command where needed.

You will need root access to SSH, or the ability to SSH into the server with a user that has the ability to run the su or sudo commands after connecting. It is assumed both the (dv) and (ve) servers are configured using the default locations for PHP and Apache. If you are using a different location for PHP, replace the directory paths where applicable; if you are using a different web server, consult the server's documentation for how to restart the service.

Instructions

Connect to your server via SSH, and change to the root user. Then issue the following command: 

vi /etc/php.ini

Add the following line to php.ini: 

disable_functions = passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,show_source

After saving and quitting, restart Apache by running the following command: 

/etc/init.d/httpd restart

Once Apache has restarted, your new PHP changes will have taken effect; check all portions of your websites after the change is operational to make sure it has not broken any portion of your website.

Final Notes

Though these functions are disabled globally, you can still choose to enable functions on a page-by-page basis by using ini_set(). Using ini_set() will execute the script with the changed value, and after the script has ended, will revert back to the setting inside the php.ini file for that function. For example, if you want to re-enable base64_decode on a webpage, you just need to add the following line of PHP code to your page: 

ini_set('base64_decode', 'On');

While practically any PHP function can be disabled, there are three others that could also be disabled:

  • exec
  • eval
  • base64_decode

As noted earlier in this article: If you choose to disable any of these functions, you will need to inspect your PHP code to make sure nothing will break.

Related Articles

Hardening Wordpress

Retrieved from "http://wiki.mediatemple.net/w/(dv):Disable_PHP_functions_to_improve_security"