• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Question PHP shell_exec etc. security risk by default in plesk?

brother4

brother4

Basic Pleskian
Hello,

I setup an ubuntu dedicated server with plesk web host edition primary for internal projects. But I was wondering that php scripts by default can use shell_exec commands, navigate through the files from other customer etc.

Is there a better way to prevent these things instead of disable known php functions like opcache_get_status, exec,passthru, shell_exec, system, proc_open, popen, parse_ini_file, show_source, highlight_file?

At the moment ssh access for subscriptions is set to bin/bash (chrooted). And I tested it on php 7.4.5 FPM.

Thank you!
 
Last edited:
@IgorG I disagree on this one. Actually, yes, it is possible to access the full server structure including all other folders when the shell_exec, exec, passthru etc. commands are not disabled in the subscription. I'd most definitely recommend to turn these off, unless it is a server one uses for himself/herself only.
 
Peter Debik said:
@IgorG I disagree on this one. Actually, yes, it is possible to access the full server structure including all other folders when the shell_exec, exec, passthru etc. commands are not disabled in the subscription. I'd most definitely recommend to turn these off, unless it is a server one uses for himself/herself only.
Click to expand...

Hello,

I diabled these shell commands, but was wondering that this is the default setting. Without clear indication. :)
 
You must log in or register to reply here.

Similar threads

brother4
Question Optimizing PHP FPM Handler Settings for Apache and Nginx in Plesk
Replies
0
Views
1K
brother4
brother4
M
Question Sitejet Builder extension requires allow_url_fopen to be enabled
Replies
0
Views
1K
Maarten
M
nuno.pereira
Question How to change default PHP settings
Replies
4
Views
2K
IgorG
IgorG
F
Question php killed by SIGNABRT
Replies
5
Views
2K
Peter Debik
P
J
Input do you still need to use disabled_functions with cloudlinux alt-php and cagefs
Replies
1
Views
1K
Bitpalast
Bitpalast
Back
Top