In the php.ini ive disabled several functions for security reasons but i need to enable exec() and shell_exec() for WHMCS Status, but i dont want it enabled for anything or anyone else. I know you can over ride global php.ini but i preferably dont want that on and also i forgot where that option is but i was wondering if there was any work arounds or would i have to enable exec() and shell_exec() globally or enable php.ini override.
When dealing with the security of your server you will eventually get to the part were you will want to disable some php functions. The only problem on shared hosting is that you cannot disable exec for a domain and enable that function for an other that needs it because of some lame script. Eventually you will get to the part were you will need to enable exec on the entire server because of one site.
There is a solution to this and it’s called suhosin.
Suhosin has a configuration variable called ”suhosin.executor.func.blacklist” which can be used to disable some php functions. The difference between this variable and disable_functions in php.ini is that it can be set for all the sites and then it can be modified for a domain only (it can be overwritten) so you will be able to disable exec on the entire server and enable that function for a single domain.
I will not write here how to install suhosin.
Also, you only need the extension for this so you do not need to patch php and recompile.
IMPORTANT: I have noticed that the suhosin extension 0.9.20 will not work anymore as there are some problems with it. It’s ok as long as we have 0.9.18. Probably the next version of the extension will be fixed to work ok again so remember to use version 0.9.18 for this until the problem is fixed.
Ok, so to use suhosin as the php function blocker we need to comment out disable_functions in php ini (yes, enable all the functions) and then set in php.ini suhosin.executor.func.blacklist to something like this:
After that, all the functions added in suhosin.executor.func.blacklist will not work anymore in php scripts. If you need to enable a function for a domain, let’s say exec, you will have to edit apache configuration file and add suhosin.executor.func.blacklist without the exec function:
How to disable those functions on VPS with Lxadmin and CentOS 5 show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open, base64_decode, base64_encodem, proc_terminate
i use Cpanel/WHM , how can override php settings when php run az CGI ,when i put php.ini in root of any website the setting didn't override main php.ini settings.
I am setting a dedicated server for a mate with cPanel/WHM 11. He says he wants a custom php.ini file such that you can override the settings when you upload a php.ini file in /home/site/public_html/
I have a curious problem, and have scoured the net for a solution. Basically, while developing a Joomla site, I have had a standard .html holding page in place.
I uploaded the Joomla site in the 'background' to continue developing the website while the holding page was in place. I always thought that .html would always display first in the browser, before index.php.
However the index.php file always displays first. I've tried changing the htaccess file etc but at this point nothing seems to be working.
It seems that some tsearch2 functions are inaccessible such as a set of rank() funcs. The default definition for one of the functions is shown in the following snippet of
code: CREATE OR REPLACE FUNCTION rank(real[], tsvector, tsquery) RETURNS real AS '$libdir/tsearch2', 'rank' LANGUAGE 'c' IMMUTABLE STRICT; I've tried to execute this script shown above and got the following error: ERROR: permission denied for language c rpm -qa | grep postgresql postgresql-devel-8.3.5-1PGDG.rhel4 postgresql-server-8.3.5-1PGDG.rhel4 postgresql-8.3.5-1PGDG.rhel4 postgresql-libs-8.3.5-1PGDG.rhel4 postgresql-plpython-8.3.5-1PGDG.rhel4
My vps managed service has disabled this functions in php.ini :
Code: exec, shell_exec, system, passthru,popen, virtual, show_source, pclose I asked them why these disabled and the answer was "because of security reasons" .
So for example a Joomla installation with working RSS needs some of these functions and when I install vary php programs I face some strnge problems that I think it may be from these disabilities .
So my question is could these functions usually be disabled ? and may I delete them from disable_functions of php.ini
I'm trying to accomplish two goals: First, get "Pretty Links" to work on my local Wordpress instance; second, to set up a local domain for the site.I have a fresh install of Apache 2.4.6 running, and I'll I've done is enable the rewrite and vhost_alias mods. Nevertheless, here's my apache2.conf: URL....
I need to have AllowOverride set to All. This, I gather, allows .htaccess files within the subsequent directories to alter the apache config. To try one thing at a time, I'm accessing the site from localhost/var/www/dhae/Wordpress (foregoing the domain). I tried altering the 000-default.conf to oblige this: [URL] .... -- all I added was the <Directory> section. This didn't work, and neither did changing the AllowOverride to All in the apache2.conf.
I wondered if perhaps I needed something more specific to the directory, so I tried using my second goal to accomplish this. I wrote the dhae.conf: URL....
I've also added the following line to my HOSTS file:127.0.0.1 dhae.dev
This hasn't worked either. I've tried virtual host config stuff as much as I could find, and I'm just not having any luck. What I have even came from this site (URL....).
Are there companies out there that allow unlimited emailing capabilities on a VPS server? What kind of budget would be best to get this capability? Am I better of going with a dedicated server?
I need to change the server configuration on Plesk such that the SuexecUserGroup directive is removed, so the user's cgi scripts run as the apache user (www-data), rather than as the user specified in that directive (the domain user), as on an unshared (non-VPS) server. I don't care about security from other domains because only one domain runs on it anyway, so making the user domain-specific is irrelevant from a security point of view and stops some of the user's code working.
This directive is found in /var/www/vhosts/domainname.com/conf/httpd.include and is: SuexecUserGroup user psacln (this line appears twice, for ports 443 and 80)
I understand that this file can't be modified, as it may be overwritten by Plesk. Therefore additional directives must go in the vhost.conf file.
Will the following vhost.conf file do the trick and override the directives in httpd.include?
how to make MySQL functions in PHP in server,bcz when i intall VB in my dedicated server it comeing is there is any option in WHM to chnage these funtion!
is it possible to set the disabled functions list for PHP in apache's HTTPD.conf per virtual host? i want a bunch of functions disabled for everyone except the default host (me).
I tried the php_admin_value way and when i look at phpinfo() it shows that the master is disabled and the local is not disabled (exactly what i want) but they arnt actually enabled for me
I'm using Parallels Plesk 12.0 and a mysql-Server.
I'm logged in with a customer's account into his phpmyadmin. Whenever a client connects to his website (which uses the database of his account) I get logged out and receive a "session expired" error. When I log in again I get "there's already a user with your username logged in".
Our security comlience test got failed due to following reason
Synopsis: The remote service encrypts traffic using a protocol with known weaknesses.
Description: The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers from several cryptographic flaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients.
Solution: Consult the application's documentation to disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead. See for Apache.
We have Cpanel RHEL server. Please advise how to:
'disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead. See for Apache.'
I would like to disable SSL 2.0 and use SSL 3.0, my question how i can do this and which file i have to modify or i have to upgrade from SSL 2.0 to SSL 3.0 ?