• Plesk Uservoice will be deprecated by October. Moving forward, all product feature requests and improvement suggestions will be managed through our new platform Plesk Productboard.
    To continue sharing your ideas and feedback, please visit features.plesk.com

Question PHP shell_exec etc. security risk by default in plesk?

brother4

Basic Pleskian
Hello,

I setup an ubuntu dedicated server with plesk web host edition primary for internal projects. But I was wondering that php scripts by default can use shell_exec commands, navigate through the files from other customer etc.

Is there a better way to prevent these things instead of disable known php functions like opcache_get_status, exec,passthru, shell_exec, system, proc_open, popen, parse_ini_file, show_source, highlight_file?

At the moment ssh access for subscriptions is set to bin/bash (chrooted). And I tested it on php 7.4.5 FPM.

Thank you!
 
Last edited:
@IgorG I disagree on this one. Actually, yes, it is possible to access the full server structure including all other folders when the shell_exec, exec, passthru etc. commands are not disabled in the subscription. I'd most definitely recommend to turn these off, unless it is a server one uses for himself/herself only.
 
@IgorG I disagree on this one. Actually, yes, it is possible to access the full server structure including all other folders when the shell_exec, exec, passthru etc. commands are not disabled in the subscription. I'd most definitely recommend to turn these off, unless it is a server one uses for himself/herself only.

Hello,

I diabled these shell commands, but was wondering that this is the default setting. Without clear indication. :)
 
Back
Top