Results 1 to 16 of 16
  1. #1

    * ini_set has been disabled for security reasons

    After recent security incident we disabled lot of PHP functions including ini_set. But ini-set disable has broke Wordpress, Joomla and many other popular script installation.

    My question, is it safe to enable set_ini(), if not, what is the safest work around to this problem?

    thanks.

  2. #2
    ini_set is mainly used to prevent performance issues than security issues. You could just use a custom php.ini for that particular domain.
    HostXNow - Shared Web Hosting | Semi Dedicated Hosting | Enterprise Reseller Hosting | VPS Hosting

  3. #3
    The bad thing about having a custom php.ini is that somebody could just enable all of the functions on the server and delete all of your files on the server. Shell_Exec can be used to delete everything including the OS on the server.

  4. #4
    You can prevent a user overriding the functions. You can do it with LiteSpeed too.
    HostXNow - Shared Web Hosting | Semi Dedicated Hosting | Enterprise Reseller Hosting | VPS Hosting

  5. #5
    custom php.ini is bad idea IMHO for security reasons.

  6. #6
    Quote Originally Posted by lifewithcause View Post
    custom php.ini is bad idea IMHO for security reasons.
    But the user could already upload a custom php.ini if they wanted to!? I doubt the the users that don't know how to override functions in the first place are going to try to do any harm. Someone with intention to do damage would already know how to use a custom php.ini ...
    HostXNow - Shared Web Hosting | Semi Dedicated Hosting | Enterprise Reseller Hosting | VPS Hosting

  7. #7
    On Linux custom php can be disabled and shall be disabled. On Windows I am not sure about it.

  8. #8
    Join Date
    Jan 2012
    Posts
    362
    Quote Originally Posted by M Bacon View Post
    The bad thing about having a custom php.ini is that somebody could just enable all of the functions on the server and delete all of your files on the server. Shell_Exec can be used to delete everything including the OS on the server.
    If someone can delete entire server with PHP your server setup is fail.
    Currently hosting with SolidShellSecurity.com && awknet.com
    -- I give them both 10/10 ratings for support, uptime, fast servers, security and quality services =)
    I do freelance programming, server management, and web design work. =)

  9. #9
    Quote Originally Posted by M Bacon View Post
    The bad thing about having a custom php.ini is that somebody could just enable all of the functions on the server and delete all of your files on the server. Shell_Exec can be used to delete everything including the OS on the server.


    Ignore this. Disabling PHP functions is poor practice and won't protect your server.
    SimplexWebs for awesome British web hosting, servers & domain names. Seven fantastic years of it.
    Need more power? We've got Enterprise Hosting for that.

  10. #10
    Quote Originally Posted by Simplex-Ed View Post


    Ignore this. Disabling PHP functions is poor practice and won't protect your server.
    Is that a fact or an assumption? How can you back your (mis)statement?

  11. #11
    Quote Originally Posted by lifewithcause View Post
    Is that a fact or an assumption? How can you back your (mis)statement?
    Greetings,

    Let me know how disabling PHP functions will secure your server and I'll gladly counter-argument any points.

    Correct permissions, always-updated software etc is best practice -- making hurdles for a "hacker" to jump over isn't. Servers should be secured at the OS level - not the application/software level. Do you offer Perl? Ruby? Cron? Jailed/bash SSH? CGI? If you offer any of those (or other server-side scripting language at that) then I presume you'll be creating such hurdles in their configuration too?

    Heck, safe_mode is to be phased out of PHP and PHP themselves recommend hardening servers at the OS level instead of the software level! Will you be disabling functionality of perl, ruby etc too?

    With CloudLinux and other new technology around shared hosts can really see the benefit. CageFS does not have the publicity it deserves -- it's a real game changer in the security of shared hosting. I've had "proper" hackers try and exploit a server through an account inside a CageFS and they did not succeed. Look into CloudLinux with CageFS.



    Note - copied and pasted some of this post from my previous postings here.
    SimplexWebs for awesome British web hosting, servers & domain names. Seven fantastic years of it.
    Need more power? We've got Enterprise Hosting for that.

  12. #12
    Join Date
    Jan 2012
    Posts
    362
    Quote Originally Posted by Simplex-Ed View Post
    Greetings,

    Let me know how disabling PHP functions will secure your server and I'll gladly counter-argument any points.

    Correct permissions, always-updated software etc is best practice -- making hurdles for a "hacker" to jump over isn't. Servers should be secured at the OS level - not the application/software level. Do you offer Perl? Ruby? Cron? Jailed/bash SSH? CGI? If you offer any of those (or other server-side scripting language at that) then I presume you'll be creating such hurdles in their configuration too?

    Heck, safe_mode is to be phased out of PHP and PHP themselves recommend hardening servers at the OS level instead of the software level! Will you be disabling functionality of perl, ruby etc too?

    With CloudLinux and other new technology around shared hosts can really see the benefit. CageFS does not have the publicity it deserves -- it's a real game changer in the security of shared hosting. I've had "proper" hackers try and exploit a server through an account inside a CageFS and they did not succeed. Look into CloudLinux with CageFS.



    Note - copied and pasted some of this post from my previous postings here.
    If this was a facebook I would like this lol.

    Never heard of CageFS will read into it now.
    Currently hosting with SolidShellSecurity.com && awknet.com
    -- I give them both 10/10 ratings for support, uptime, fast servers, security and quality services =)
    I do freelance programming, server management, and web design work. =)

  13. #13
    Quote Originally Posted by BiggyMike View Post
    If this was a facebook I would like this lol.

    Never heard of CageFS will read into it now.
    Please do. It's still in beta stages but stable enough for production usage. It's really frustrating when web hosts think disabling functions will fix all your problems but miss the underlining issues. I can guarantee a lot of web hosts who disable PHP functions don't keep their kernel up to date.

    SimplexWebs for awesome British web hosting, servers & domain names. Seven fantastic years of it.
    Need more power? We've got Enterprise Hosting for that.

  14. #14
    We keep the Kernel updated on regular bases. Disabling PHP functions is not a guarantee but is a added surety that hackers will have tough time exploiting through these dangerous PHP functions.

    I am going to look at CageFS.

  15. #15
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  16. #16
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    Quote Originally Posted by M Bacon View Post
    The bad thing about having a custom php.ini is that somebody could just enable all of the functions on the server and delete all of your files on the server. Shell_Exec can be used to delete everything including the OS on the server.
    Perl Scripts, Python Scripts, Ruby Scripts, Compiled C binaries (yes you can upload a compiled C binary and run it in your cgi-bin through your web browser) all have shell function ability.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

Similar Threads

  1. Problems setting memory_limit (ini_set" has been disabled)
    By magnar in forum Hosting Security and Technology
    Replies: 5
    Last Post: 03-16-2010, 08:36 PM
  2. Joomla - ini_set enabled is security risk
    By anastasia0181 in forum Hosting Security and Technology
    Replies: 2
    Last Post: 11-20-2009, 11:22 AM
  3. Warning: shell_exec() has been disabled for security reasons
    By ashish1987 in forum Hosting Security and Technology
    Replies: 7
    Last Post: 09-16-2007, 03:31 AM
  4. exec() has been disabled for security reasons
    By zoomx in forum Hosting Security and Technology
    Replies: 6
    Last Post: 09-23-2005, 12:04 PM
  5. For security reasons …………
    By milljea in forum Dedicated Server
    Replies: 15
    Last Post: 12-06-2003, 06:00 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •