• Introducing WebPros Cloud - a fully managed infrastructure platform purpose-built to simplify the deployment of WebPros products !  WebPros Cloud enables you to easily deliver WebPros solutions — without the complexity of managing the infrastructure.
    Join the pilot program today!
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.

Disable shell command from PHP for all domains?

J

j Zim

Guest
It seems that a customer was able to upload a php file into the /tmp directory and then call a sh command (php <name of its file.php>) to execute the script.

At the moment I have no idea from what domain this is done but as a quick fix I would like to disable the possibility to execute sh/shell command for all my customers using PHP script.

Is that possible changing the php5.ini file (disable_functions) or doing it this way I'll have some trouble with Plesk or other admin script (like phpmyadmin, etc.)?

Thanks in advance for your help.
JZ
 
No that should be fine - plesk uses its own php.ini file for its own web processes, so it should be safe to turn it off.

This is what I use in my disable functions

disable_functions = dl , exec , passthru , pcntl_exec , popen , posix_kill , posix_mkfifo , posix_setuid , proc_close , proc_open , proc_terminate , shell_exec , system , ftp_exec , leak , posix_setpgid , posix_setsid , proc_get_status , proc_nice , show_source , escapeshellcmd

Also its a good idea to set these
expose_php = off
enable_dl = Off
allow_url_include = off
 
Hi Amin, thanks for your reply, I've added this config but I got a call from a customer using webmail (horde) and he was not able to send email anymore (error with sendmail which is using popen). So I remove popen from the "disable_functions" config, do you think it's ok this way?
Cheers,
JZ
 
Should be ok yeah - I dont use webmail on the same server as plesk runs as so I have mine disabled - you may also want to think about using safe_mode (if your using an older than 5.3 version of php) and open base dir restrictions as well if your not already.
 
You must log in or register to reply here.

Similar threads

O
Question Cron job to rename image files - syntax question
Replies
4
Views
9K
onki
O
QWeb Ric
Resolved Removing PHP from chroot template
Replies
5
Views
1K
QWeb Ric
QWeb Ric
matrix
Issue Sendmail missing from chroot (Postfix)
Replies
15
Views
2K
matrix
matrix
C
Issue Failed to update the IP address" when repairing PHP-FPM configuration for all domains
Replies
3
Views
11K
whyisthissuchaBS
W
Hangover2
Forwarded to devs Disabled PHP "Hosting performance settings management" can be bypassed by using .user.ini or ini_set()
Replies
9
Views
3K
Sebahat.hadzhi
Sebahat.hadzhi
Back
Top