Results 1 to 16 of 16
-
05-03-2012, 01:44 PM #1WHT Addict
- Join Date
- Apr 2011
- Posts
- 151
ini_set has been disabled for security reasons
After recent security incident we disabled lot of PHP functions including ini_set. But ini-set disable has broke Wordpress, Joomla and many other popular script installation.
My question, is it safe to enable set_ini(), if not, what is the safest work around to this problem?
thanks.
-
05-03-2012, 02:44 PM #2
ini_set is mainly used to prevent performance issues than security issues. You could just use a custom php.ini for that particular domain.
HostXNow - Shared Web Hosting | Semi Dedicated Hosting | Enterprise Reseller Hosting | VPS Hosting
-
05-03-2012, 03:05 PM #3Disabled
- Join Date
- Apr 2009
- Posts
- 3,262
The bad thing about having a custom php.ini is that somebody could just enable all of the functions on the server and delete all of your files on the server. Shell_Exec can be used to delete everything including the OS on the server.
-
05-03-2012, 03:14 PM #4
You can prevent a user overriding the functions. You can do it with LiteSpeed too.
HostXNow - Shared Web Hosting | Semi Dedicated Hosting | Enterprise Reseller Hosting | VPS Hosting
-
05-03-2012, 03:16 PM #5WHT Addict
- Join Date
- Apr 2011
- Posts
- 151
custom php.ini is bad idea IMHO for security reasons.
-
05-03-2012, 03:24 PM #6
But the user could already upload a custom php.ini if they wanted to!? I doubt the the users that don't know how to override functions in the first place are going to try to do any harm. Someone with intention to do damage would already know how to use a custom php.ini ...
HostXNow - Shared Web Hosting | Semi Dedicated Hosting | Enterprise Reseller Hosting | VPS Hosting
-
05-03-2012, 03:29 PM #7WHT Addict
- Join Date
- Apr 2011
- Posts
- 151
On Linux custom php can be disabled and shall be disabled. On Windows I am not sure about it.
-
05-03-2012, 03:52 PM #8Aspiring Evangelist
- Join Date
- Jan 2012
- Posts
- 362
Currently hosting with SolidShellSecurity.com && awknet.com
-- I give them both 10/10 ratings for support, uptime, fast servers, security and quality services =)
I do freelance programming, server management, and web design work. =)
-
05-03-2012, 03:54 PM #9Aspiring Evangelist
- Join Date
- Sep 2011
- Posts
- 411
SimplexWebs for awesome British web hosting, servers & domain names. Seven fantastic years of it.
Need more power? We've got Enterprise Hosting for that.
-
05-03-2012, 03:59 PM #10WHT Addict
- Join Date
- Apr 2011
- Posts
- 151
-
05-03-2012, 04:07 PM #11Aspiring Evangelist
- Join Date
- Sep 2011
- Posts
- 411
Greetings,
Let me know how disabling PHP functions will secure your server and I'll gladly counter-argument any points.
Correct permissions, always-updated software etc is best practice -- making hurdles for a "hacker" to jump over isn't. Servers should be secured at the OS level - not the application/software level. Do you offer Perl? Ruby? Cron? Jailed/bash SSH? CGI? If you offer any of those (or other server-side scripting language at that) then I presume you'll be creating such hurdles in their configuration too?
Heck, safe_mode is to be phased out of PHP and PHP themselves recommend hardening servers at the OS level instead of the software level! Will you be disabling functionality of perl, ruby etc too?
With CloudLinux and other new technology around shared hosts can really see the benefit. CageFS does not have the publicity it deserves -- it's a real game changer in the security of shared hosting. I've had "proper" hackers try and exploit a server through an account inside a CageFS and they did not succeed. Look into CloudLinux with CageFS.
Note - copied and pasted some of this post from my previous postings here.SimplexWebs for awesome British web hosting, servers & domain names. Seven fantastic years of it.
Need more power? We've got Enterprise Hosting for that.
-
05-03-2012, 04:13 PM #12Aspiring Evangelist
- Join Date
- Jan 2012
- Posts
- 362
Currently hosting with SolidShellSecurity.com && awknet.com
-- I give them both 10/10 ratings for support, uptime, fast servers, security and quality services =)
I do freelance programming, server management, and web design work. =)
-
05-03-2012, 04:15 PM #13Aspiring Evangelist
- Join Date
- Sep 2011
- Posts
- 411
Please do. It's still in beta stages but stable enough for production usage. It's really frustrating when web hosts think disabling functions will fix all your problems but miss the underlining issues. I can guarantee a lot of web hosts who disable PHP functions don't keep their kernel up to date.
SimplexWebs for awesome British web hosting, servers & domain names. Seven fantastic years of it.
Need more power? We've got Enterprise Hosting for that.
-
05-04-2012, 12:55 AM #14WHT Addict
- Join Date
- Apr 2011
- Posts
- 151
We keep the Kernel updated on regular bases. Disabling PHP functions is not a guarantee but is a added surety that hackers will have tough time exploiting through these dangerous PHP functions.
I am going to look at CageFS.
-
05-04-2012, 01:09 AM #15Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
05-04-2012, 01:10 AM #16Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
Similar Threads
-
Problems setting memory_limit (ini_set" has been disabled)
By magnar in forum Hosting Security and TechnologyReplies: 5Last Post: 03-16-2010, 08:36 PM -
Joomla - ini_set enabled is security risk
By anastasia0181 in forum Hosting Security and TechnologyReplies: 2Last Post: 11-20-2009, 11:22 AM -
Warning: shell_exec() has been disabled for security reasons
By ashish1987 in forum Hosting Security and TechnologyReplies: 7Last Post: 09-16-2007, 03:31 AM -
exec() has been disabled for security reasons
By zoomx in forum Hosting Security and TechnologyReplies: 6Last Post: 09-23-2005, 12:04 PM -
For security reasons …………
By milljea in forum Dedicated ServerReplies: 15Last Post: 12-06-2003, 06:00 PM