• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:
    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Disable shell command from PHP for all domains?

J

j Zim

Guest
It seems that a customer was able to upload a php file into the /tmp directory and then call a sh command (php <name of its file.php>) to execute the script.

At the moment I have no idea from what domain this is done but as a quick fix I would like to disable the possibility to execute sh/shell command for all my customers using PHP script.

Is that possible changing the php5.ini file or doing it this way I'll have some trouble with Plesk or other admin script (like phpmyadmin, etc.)?

Thanks in advance for your help.
JZ
 
Last edited by a moderator:
in php.ini edit this line

;disable_functions =

to

disable_functions =exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source

or any other restriction you want to apply.
 
Ivalics,
Thanks for your reply. I know the "disable_functions" config, I posted my question to know if it can cause some trouble to admin interface like plesk, phpmyadmin, etc. Did you setup your Plesk server this way?
Regards,
 
Yes, we use like this. Better to have like this, then to allow some exec functions. still can be avoided, but for that also exist ASL with mod_security.
 
Thanks for this additional info, php.ini config changed! Could you let me know what you mean with "ASL with mod_security"? Additional setup/config on a website based to allow exec for certain domains?
 
I just got a call from a customer... webmail cannot send email! Looks like horde is using popen to use sendmail. I cannot get horde working changing its config, so I had to remove popen from disable_functions.
 
Yes, popen can create issues with webmail, I know there is a workaround, but I cannot remember where I saw.
 
Breun was the one who posted the answer. He said to edit /etc/psa-horde/horde/conf.php (Plesk 8) or /etc/psa/webmail/horde/horde/conf.php (Plesk 9 and, I assume Plesk 10?)

1) Change $conf['mailer']['type'] from 'sendmail' to 'smtp'
2) Add the following line:
$conf['mailer']['params']['host'] = 'localhost';

In this way, horde will use SMTP and no longer needs popen to be enabled.

Faris.
 
I did the suggested changes but I'm still gettin error about sendmail! Seems like my changes are ignored. What do I need to restart after the changes are done? I did a "service apache2 restart".
 
You must log in or register to reply here.

Similar threads

Hangover2
Forwarded to devs Disabled PHP "Hosting performance settings management" can be bypassed by using .user.ini or ini_set()
Replies
5
Views
1K
Kaspar@Plesk
Kaspar@Plesk
S
Apache does not apply .htaccess directives for certain files after migration through Plesk Migrator
Replies
2
Views
729
NewGate
N
KonstantinosP
Resolved Disabling an extension from one custom PHP handler will disable the same extension on all others, too
Replies
5
Views
2K
KonstantinosP
KonstantinosP
M
Issue Can't open Port 25. Please help
Replies
2
Views
2K
mhogue
M
W
Question Call custom shell command with callSbin from within extension
Replies
0
Views
880
wlanrouterking
W
Back
Top