On Sat, 2014-01-25 at 21:44 +0100, Reindl Harald wrote:
> Am 25.01.2014 21:40, schrieb Always Learning:
> >
> > if($ban)
> > { $ipx = $ip1;
> > exec("sudo -u root -t pts/1 /sbin/iptables -A 1banned.".$mm." -j
> > DROP -s ".$ipx);
> > }
> if your webserver is allowed to call exec() at all from php-scripts and
> even "sudo" this is a security hole big like a house and you are a pure
> idiot - there is nothing more to say except some sane phh settings for
> a webserver
>
> disable_functions = "apache_child_terminate, chown, dl, exec, fileinode, get_current_user, getmypid, getmyuid,
> getrusage, highlight_file, link, mail, openlog, passthru, pclose, pcntl_alarm, pcntl_errno, pcntl_exec, pcntl_fork,
> pcntl_get_last_error, pcntl_getpriority, pcntl_setpriority, pcntl_signal_dispatch, pcntl_signal, pcntl_sigprocmask,
> pcntl_sigtimedwait, pcntl_sigwaitinfo, pcntl_strerror, pcntl_wait, pcntl_waitpid, pcntl_wexitstatus,
> pcntl_wifexited, pcntl_wifsignaled, pcntl_wifstopped, pcntl_wstopsig, pcntl_wtermsig, pfsockopen, popen,
> posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, proc_close, proc_get_status, proc_nice,
> proc_open, proc_terminate, shell_exec, show_source, socket_accept, socket_bind, symlink, syslog, system"
Guten Abend Harald (that's a good old Norwegian name)
1. Both C6 and C5's /etc/php.ini have
disable_functions =
Neither C5 nor C6 /etc/php.ini have your list of dangerous PHP functions. One wonders why not, if they are so dangerous.
2. In your list you have 'mail' which I consider an essential PHP command in a production environment.
3. I'm willing to add your suggestions to php.ini except for three.
4. I'm puzzled how hackers can break-in to use all those functions in your list. Can you elaborate please?
Mfg / best regards,
Paul.
--
Paul.
England,
EU.
Our systems are exclusively Linux. No Micro$oft Windoze here.