How-to Disable Php Functions Per Domain
Jul 29, 2007
When dealing with the security of your server you will eventually get to the part were you will want to disable some php functions. The only problem on shared hosting is that you cannot disable exec for a domain and enable that function for an other that needs it because of some lame script. Eventually you will get to the part were you will need to enable exec on the entire server because of one site.
There is a solution to this and it’s called suhosin.
Suhosin has a configuration variable called ”suhosin.executor.func.blacklist” which can be used to disable some php functions. The difference between this variable and disable_functions in php.ini is that it can be set for all the sites and then it can be modified for a domain only (it can be overwritten) so you will be able to disable exec on the entire server and enable that function for a single domain.
I will not write here how to install suhosin.
Also, you only need the extension for this so you do not need to patch php and recompile.
IMPORTANT: I have noticed that the suhosin extension 0.9.20 will not work anymore as there are some problems with it. It’s ok as long as we have 0.9.18. Probably the next version of the extension will be fixed to work ok again so remember to use version 0.9.18 for this until the problem is fixed.
Ok, so to use suhosin as the php function blocker we need to comment out disable_functions in php ini (yes, enable all the functions) and then set in php.ini
suhosin.executor.func.blacklist to something like this:
suhosin.executor.func.blacklist = exec, passthru, shell_exec, system, pcntl_exec, proc_open, proc_nice, proc_terminate, proc_get_status, proc_close, leak, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, escapeshellcmd, escapeshellarg
You can add as many functions as you like.
After that, all the functions added in suhosin.executor.func.blacklist will not work anymore in php scripts. If you need to enable a function for a domain, let’s say
exec, you will have to edit apache configuration file and add suhosin.executor.func.blacklist without the exec function:
<VirtualHost 127.0.0.1>
ServerAlias www.test.com
ServerAdmin webmaster@test.com
DocumentRoot /home/test/public_html
php_admin_value suhosin.executor.func.blacklist "passthru, show_source, shell_exec, system, pcntl_exec, popen, pclose, proc_open, proc_nice, proc_terminate, proc_get_status, proc_close, leak, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, escapeshellcmd, escapeshellarg"
</VirtualHost>
Now exec is disable on the server but it’s enabled on the test domain.
View 0 Replies
ADVERTISEMENT
Sep 15, 2007
Does the below look good for a private server (linux, cpanel, phpsuexec disabled)?
disable_functions = show_source, system, shell_exec, passthru, phpinfo, popen, proc_open
What about a shared hosting server (linux, cpanel, phpsuexec *enabled*)?
disable_functions = show_source, system, shell_exec, passthru, phpinfo, popen, proc_open
View 2 Replies
View Related
Jun 10, 2009
Is it possible to disable mod_security and open_basedir thru .htaccess if both are enabled in server configuration?
View 3 Replies
View Related
Apr 23, 2009
In the php.ini ive disabled several functions for security reasons but i need to enable exec() and shell_exec() for WHMCS Status, but i dont want it enabled for anything or anyone else. I know you can over ride global php.ini but i preferably dont want that on and also i forgot where that option is but i was wondering if there was any work arounds or would i have to enable exec() and shell_exec() globally or enable php.ini override.
View 3 Replies
View Related
Jun 13, 2008
How to disable those functions on VPS with Lxadmin and CentOS 5
show_source, system, shell_exec, passthru, exec,
phpinfo, popen, proc_open, base64_decode, base64_encodem, proc_terminate
View 9 Replies
View Related
May 15, 2007
if anybody has been successful in disabling awstats for one domain only? I've seen this method somewhere else but was wondering if any of you guys have tried it here:
----------------------
Append the line,
skipawstats=1 to the file /var/cpanel/users/<username>
----------------------
View 4 Replies
View Related
Jul 12, 2007
I created a new cpanel account subdomain.domain.com
Sometimes i goto [url] on my browser, it changes to www.subdomain.domain.com
I want to disable 'www' for some 'xml' script reason.
How do I do that?
View 12 Replies
View Related
Oct 12, 2007
I am running on;
Plesk versionpsa v8.0.1_build80060613.20 os_CentOS 4.2
Operating systemLinux 2.6.9-023stab033.6-smp
License key numberPLSK.00170782.0006
I need to be able to access cgi between vhost domains. In particular one frequently updated file located 'centrally' in the cgi-bin of one of the vhost domain.
I would like to be able to have other vhost domains be able to access this file but suexec won't let that happen. I have searched around and tried to following;
Created vhost.conf file in the conf directory of one of the domains.
The vhost.conf file contained (with no #):
# <IfModule mod_suexec.c>
# SuexecUserGroup userid psacln
# </IfModule>
I ran;
/usr/local/psa/admin/bin/websrvmng -u --vhost-name=<domain name>
Then reboot.
The result was all the vhosts stopped working. I reset the websvrmng, things returned to normal.
Then I tried updating the httpd.include file adding (with no #);
# <IfModule mod_suexec.c>
# SuexecUserGroup userid psacln
# </IfModule>
Then reboot.
The result was the same, all vhosts stopped working.
Does anyone have an idea how I can achieve this? I know I can disable suexec all together but that wreaked a little havoc with the cgi app when I tried that.
View 2 Replies
View Related
Jul 25, 2014
How do we disable email on the domain entirely? The client is hosting email externally - the offered spam filtering is wholely inadequate and we're seeing a few of these happening - to the point I'm considering offering externally hosted email plans anyway - but back to the problem - I need to delete the mailboxes and then disable mail - and then remove the DNS records for webmail etc - but can't seem to find how to turn off locally hosted email for a domain.
View 11 Replies
View Related
Feb 14, 2015
My customer using exchange on internal office, the https port conflict with their work. how do I disable https port on their domain?
I am using plesk 11.x and I have about 300 domains on it.
View 1 Replies
View Related
Feb 24, 2015
Is it possible to control if nginx is active on a per domain basis? If so, how do we configure this. If not, how do we disable nginx completely?
View 3 Replies
View Related
Apr 2, 2015
New to Plesk in general so I don't know for sure if the "Register Domain Names" feature is part of our 'Web Pro Edition' or comes by default.
Also, is the domain registration option showing up because when installing Plesk I enabled the "Enable access to premium commercial apps"?
So my question is, can we still set it up so users have access to install applications (free and commercial), but disable the domain registration option?
View 1 Replies
View Related
Jun 23, 2015
I have a Plesk 12 server running under Debian 7. I have a website with only mail so I disable web hosting. The problem is that the client needs to use webmail but webmail does not work (maybe because web hosting is disabled)...
View 1 Replies
View Related
Jan 21, 2014
My Plesk Panel version 11.0.9 on Microsoft Windows Server 2008 R2 Service Pack 1 with mail Server : IceWarp Server 10.2.2
And my subscriptions had 2 domains : matbaocare.com (main domain) & matbaocare.net (second domain).
When I create E-mail Address , by default I can choose several domain on my account with @matbaocare.com or @matbaocare.net.
But I don't want to create E-mail with second domain, just main domain can use email !
How to config Plesk to auto disable create E-mail with several domain on account?
View 7 Replies
View Related
Aug 6, 2014
I have several domains configured in my Plesk, and one of them is set as the "Detault site" under Home >> Tools & Setings > IP address management.This has the unpleasant side effect that any domain I point to this IP renders content from the Default site unless it's setup. How can I configure the default site to render content from only one domain?
View 1 Replies
View Related
Jul 26, 2007
about DNS functions. I know what the DNS is, but some part of it I am confused.
Here is situation.
AAA.com - Master
BBB.com - Reseller
Now, BBB's clients point their DNS to ns1.BBB.com, ns2.BBB.com
However, when I check BBB's whois, it shows BBB has ns1.AAA.com, ns2.AAA.com
So, BBB's clients know BBB is reseller. How can I show ns1.BBB.com, ns2.BBB.com?
I believe it's DNS function, right?
so I tried to edit DNS following:
Domain TTL Recordtype
BBB.com 86400 NS ns1.BBB.com (default was ns1.AAA.com)
BBB.com 86400 NS ns1.BBB.com (default was ns2.AAA.com)
Is it correct?
however, I checked BBB's whois, but it's still showing up ns1.AAA.com, ns2.AAA.com
View 3 Replies
View Related
Nov 24, 2008
It seems that some tsearch2 functions are inaccessible such as a set of rank() funcs. The default definition for one of the functions is shown in the following snippet of
code:
CREATE OR REPLACE FUNCTION rank(real[], tsvector, tsquery)
RETURNS real AS
'$libdir/tsearch2', 'rank'
LANGUAGE 'c' IMMUTABLE STRICT;
I've tried to execute this script shown above and got the following error:
ERROR: permission denied for language c
rpm -qa | grep postgresql
postgresql-devel-8.3.5-1PGDG.rhel4
postgresql-server-8.3.5-1PGDG.rhel4
postgresql-8.3.5-1PGDG.rhel4
postgresql-libs-8.3.5-1PGDG.rhel4
postgresql-plpython-8.3.5-1PGDG.rhel4
View 2 Replies
View Related
Jun 29, 2007
My vps managed service has disabled this functions in php.ini :
Code:
exec, shell_exec, system, passthru,popen, virtual, show_source, pclose
I asked them why these disabled and the answer was "because of security reasons" .
So for example a Joomla installation with working RSS needs some of these functions and when I install vary php programs I face some strnge problems that I think it may be from these disabilities .
So my question is could these functions usually be disabled ? and may I delete them from disable_functions of php.ini
View 7 Replies
View Related
Aug 26, 2007
My site is running with php scripts It's work fire at bluehost but get some error when i move to new VPS .
Quote:
Warning: fputs(): supplied argument is not a valid stream resource in /home/xxx/public_html/home/admin/update_categories.php on line 171
Warning: fclose(): supplied argument is not a valid stream resource in /home/xxx/public_html/home/admin/update_categories.php on line 173
Warning: fputs(): supplied argument is not a valid stream resource in /home/xxx/public_html/home/admin/update_categories.php on line 225
Warning: fclose(): supplied argument is not a valid stream resource in /home/xxx/public_html/home/admin/update_categories.php on line 227
I want to enable these functions fopen(),fputs(),fclose(),fputs(),fclose() but i don't know how to enable them .Could you tell me details
View 2 Replies
View Related
Jun 24, 2009
Are there companies out there that allow unlimited emailing capabilities on a VPS server? What kind of budget would be best to get this capability? Am I better of going with a dedicated server?
View 1 Replies
View Related
Mar 16, 2008
how to make MySQL functions in PHP in server,bcz when i intall VB in my dedicated server it comeing is there is any option in WHM to chnage these funtion!
View 14 Replies
View Related
Jul 4, 2008
i have disbaled many functions in php.ini settings ! for security!
but i need to use some of the functions for my billing System!
how can i enable all the functions just for an account? or a directory!
View 0 Replies
View Related
Aug 7, 2007
is it possible to set the disabled functions list for PHP in apache's HTTPD.conf per virtual host? i want a bunch of functions disabled for everyone except the default host (me).
I tried the php_admin_value way and when i look at phpinfo() it shows that the master is disabled and the local is not disabled (exactly what i want) but they arnt actually enabled for me
View 14 Replies
View Related
Aug 17, 2014
I'm using Parallels Plesk 12.0 and a mysql-Server.
I'm logged in with a customer's account into his phpmyadmin. Whenever a client connects to his website (which uses the database of his account) I get logged out and receive a "session expired" error. When I log in again I get "there's already a user with your username logged in".
View 4 Replies
View Related
Oct 20, 2008
Our security comlience test got failed due to following reason
Synopsis:
The remote service encrypts traffic using a protocol with known weaknesses.
Description:
The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers from several cryptographic flaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients.
Solution:
Consult the application's documentation to disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead. See for Apache.
We have Cpanel RHEL server. Please advise how to:
'disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead. See for Apache.'
View 12 Replies
View Related
Feb 20, 2008
RBL is blocking every incoming email. While waiting for the admin. How to disable it?
View 3 Replies
View Related
May 11, 2008
I can stop Dr Web from within Plesk Control panel, but every time server restarts - Dr Web is automatically started again.
Any possible way to disable it from running?
Also the same with Spam Assassin.
I am running CentOS
View 0 Replies
View Related
