Scary PHP Functions you should disable…
June 17, 2008 – 10:15 pmWe have just completed a security update on one of our main servers and whilst we were performing the update we realised that there is a distinct lack of information out there concerning the security of PHP functions, and no good lists of functions that should be banned or switched off.
When you install PHP, it doesn’t make a huge amount of recommendations about which functions you should ban on your servers. Although it basically does come out of the box in safe mode, which is great, as a web host trying to offer the best service possible, we like to offer our customers the choice of using PHP’s safe mode or not. We know that as a developer it’s a real pain to be forced to deal with things like magic quotes when you already have tight methods of blocking SQL injection, XSS attacks etc.
So, since we want to leave things as flexible as possible for developers, it’s critical for us to know that our customers can’t write PHP code that could lead to our server being left wide open to attack.
So, being diligent web hosts we searched high and low for a decent list of PHP functions that we ought to ban, and surprisingly couldn’t really find any decent lists.
So, for anyone wondering what functions to ban, here is our list of PHP functions you should definitely not allow your customers to use!
exec, system, passthru, readfile, shell_exec, escapeshellarg, proc_close, proc_open, ini_alter, dl, parse_ini_file, show_source, popen, pclose, pcntl_exec, proc_get_status, proc_nice, proc_terminate, pfsockopen, posix_kill, posix_mkfifo, openlog, syslog, escapeshellcmd, apache_child_terminate, apache_get_env, apache_set_env, apache_note, virtual, error_log, openlog, syslog, readlink, symlink, link, highlight_file, closelog, ftp_exec, posix_setpgid, posix_setuid, posix_setsid, posix_setegid, posix_seteuid, posix_getpwnam, posix_ctermid, posix_uname, posix_getegid, posix_geteuid, posix_getpid, posix_getppid, posix_getpwuid
I’m not going to go into details here, but if you’re in for a fright, look these functions up (especially the posix ones) on the www.php.net website, you’ll be very scared!
One Response to “Scary PHP Functions you should disable…”
I should also mention that posix can be left out of your php version at compile time, and that this is the recommended option.
By admin on Jun 23, 2008