On Sat, 2014-01-25 at 21:44 +0100, Reindl Harald wrote:
Am 25.01.2014 21:40, schrieb Always Learning:
if($ban) { $ipx = $ip1; exec("sudo -u root -t pts/1 /sbin/iptables -A 1banned.".$mm." -j DROP -s ".$ipx); }
if your webserver is allowed to call exec() at all from php-scripts and even "sudo" this is a security hole big like a house and you are a pure idiot - there is nothing more to say except some sane phh settings for a webserver
disable_functions = "apache_child_terminate, chown, dl, exec, fileinode, get_current_user, getmypid, getmyuid, getrusage, highlight_file, link, mail, openlog, passthru, pclose, pcntl_alarm, pcntl_errno, pcntl_exec, pcntl_fork, pcntl_get_last_error, pcntl_getpriority, pcntl_setpriority, pcntl_signal_dispatch, pcntl_signal, pcntl_sigprocmask, pcntl_sigtimedwait, pcntl_sigwaitinfo, pcntl_strerror, pcntl_wait, pcntl_waitpid, pcntl_wexitstatus, pcntl_wifexited, pcntl_wifsignaled, pcntl_wifstopped, pcntl_wstopsig, pcntl_wtermsig, pfsockopen, popen, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, show_source, socket_accept, socket_bind, symlink, syslog, system"
Guten Abend Harald (that's a good old Norwegian name)
1. Both C6 and C5's /etc/php.ini have
disable_functions =
Neither C5 nor C6 /etc/php.ini have your list of dangerous PHP functions. One wonders why not, if they are so dangerous.
2. In your list you have 'mail' which I consider an essential PHP command in a production environment.
3. I'm willing to add your suggestions to php.ini except for three.
4. I'm puzzled how hackers can break-in to use all those functions in your list. Can you elaborate please?
Mfg / best regards,
Paul.