• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Disable shell command from PHP for all domains?

J

j Zim

Guest
It seems that a customer was able to upload a php file into the /tmp directory and then call a sh command (php <name of its file.php>) to execute the script.

At the moment I have no idea from what domain this is done but as a quick fix I would like to disable the possibility to execute sh/shell command for all my customers using PHP script.

Is that possible changing the php5.ini file (disable_functions) or doing it this way I'll have some trouble with Plesk or other admin script (like phpmyadmin, etc.)?

Thanks in advance for your help.
JZ
 
No that should be fine - plesk uses its own php.ini file for its own web processes, so it should be safe to turn it off.

This is what I use in my disable functions

disable_functions = dl , exec , passthru , pcntl_exec , popen , posix_kill , posix_mkfifo , posix_setuid , proc_close , proc_open , proc_terminate , shell_exec , system , ftp_exec , leak , posix_setpgid , posix_setsid , proc_get_status , proc_nice , show_source , escapeshellcmd

Also its a good idea to set these
expose_php = off
enable_dl = Off
allow_url_include = off
 
Hi Amin, thanks for your reply, I've added this config but I got a call from a customer using webmail (horde) and he was not able to send email anymore (error with sendmail which is using popen). So I remove popen from the "disable_functions" config, do you think it's ok this way?
Cheers,
JZ
 
Should be ok yeah - I dont use webmail on the same server as plesk runs as so I have mine disabled - you may also want to think about using safe_mode (if your using an older than 5.3 version of php) and open base dir restrictions as well if your not already.
 
You must log in or register to reply here.

Similar threads

Hangover2
Forwarded to devs Disabled PHP "Hosting performance settings management" can be bypassed by using .user.ini or ini_set()
Replies
5
Views
950
Kaspar@Plesk
Kaspar@Plesk
S
Apache does not apply .htaccess directives for certain files after migration through Plesk Migrator
Replies
2
Views
649
NewGate
N
KonstantinosP
Resolved Disabling an extension from one custom PHP handler will disable the same extension on all others, too
Replies
5
Views
2K
KonstantinosP
KonstantinosP
M
Issue Can't open Port 25. Please help
Replies
2
Views
2K
mhogue
M
W
Question Call custom shell command with callSbin from within extension
Replies
0
Views
869
wlanrouterking
W
Back
Top