How to Disable PHP from Running “exec()” January 13, 2011Posted by Tournas Dimitrios in PHP.
PHP scripts has the ability to run Linux/Unix commands by using the PHP function exec() . That means that anyone with FTP access to your webserver can write a PHP script to execute Unix commands such as delete files with “rm” on your server.
This opens a bit of vulnerability. It may be that some legitimate web application may need to use the exec() function. But if you don’t have such need and you want to make your server more secure, you can configure PHP in the php.ini file to disable the ability to run the exec() function.
Find the line “disable_functions” in the php.ini file and add the functions that you want to disable to that line as in …
disable_functions = exec
Now when a PHP script tries to run the exec function, it will not run and may display a warning instead …
Warning: exec() has been disabled for security reasons in …
To make sure that you have disabled it properly, you can see a list of disabled functions when you phpinfo() and look for the “disable_functions” directive.
There are many other “dangerous” PHP commands similar to exec() which you can append to that statement by separating them with commas .
Always restart your apache server when changes are made on configuration files .
Read : A list of PHP program excecution functions >>>>