Disable Dangerous Functions in PHP November 30, 2012Posted by Tournas Dimitrios in PHP.
PHP is often characterized as an “easy to learn programming language and is used as a footstep into web programming . Most of this misunderstanding is due to authors that write tutorials about PHP and often concentrate only on how to present an achievement ( a specific programs task in PHP ) , while forgetting to mention that their script wasn’t meant for production . Beginners then go on to use these “easy” scripts on production servers and find themselves subject to many forms of attacks . The following chart is just a representation of the most common PHP-vulnerabilities (listed by type) .
As shown on the chart , the champion is the “Execute Code” vulnerability . The number represents the reported different ways this vulnerability was used to attack a PHP-application .
PHP has build-in functionality to execute underlying shell commands on the system itself (were PHP is installed on) . It provides a number of functions for executing external commands , among them shell_exec , exec , passthru , the backtricks (` `) and system . It’s important to note that pretty much whatever you can do on the UNIX command line or in a shell script is allowed here . For example , you can use pipes to string together commands . Each of these commands spawns a child process to run the command or script you designate , and each captures the output of your command as it’s written to standard output (stdout) .
Many common attacks on PHP applications involve attackers uploading so-called “Web Shells”, which are scripts that give the attacker access to system functions for the purpose of taking over the web server . These Shells typically use the dangerous PHP functions for access to system commands . Disabling dangerous PHP functions makes using Web Shells more difficult , thus adding an extra layer of protection .
How to disable these dangerous commands :
Very simple , open PHP’s ini-file and append the following command (don’t forget to restart Appache so that these configuration changes can be activated) :
disable_functions = shell_exec , show_shource , system , exec, popen, proc_open , parse_ini_file, passthru , symlink
Most likely , a shared host will have disabled shell access . This article only applies to PHP-code hosted on Cloud servers (like Amazon’s EC2) , VPS or on dedicated-servers .
Final thoughts :
I remember the words of my professor “great power must be accompanied with equal responsibilities” . My golden rule is to find alternative ways to accomplish a specific task that was meant to be run through the command shell . For instance , PHP has a “bunch” of build-in file-system function that can be used instead of shell-commands . Another example , I have seen in the past fellow coders using shell commands to “ping” a remote server (echo exec(“ping “.$ip);) , with a little bit of code the same functionality can be done with PHP’s build-in functionality (fsockopen function) . Which commands should you use and when ? This is entirely up to you and the needs you have . If you’re accepting user input and passing that information along to the shell , you better sanitize that user input . Strip out any commands that you think might be harmful , disallow users from sending in open requests and only allow them to choose from a list of possible alternatives . Make sure that each case of using a dangerous function is absolute necessary and is done in accordance with best practices . For code that passes arguments to shell commands, use escapeshellarg to prevent command injection vulnerabilities . Use absolute paths when executing external commands , don’t let users execute arbitrary commands . Be particularly careful with the backtick (`) operator (this operator is disabled if shell_exec is disabled) .