PHP stands for Hypertext Preprocessor is a powerful and popular server-side scripting language which is used for serving dynamic web pages. It is very simple to code and debug and supports several databases like MySQL, MS SQL and Oracle.
PHP代表超文本预处理器 ( Hypertext Preprocessor)是一种功能强大且流行的服务器端脚本语言,用于提供动态网页。 编码和调试非常简单,并支持MySQL,MS SQL和Oracle等多个数据库。
But, have you ever pondered that some of the PHP functions can be very dangerous for your server and data stored on it ?
但是,您是否曾经考虑过某些PHP函数对于您的服务器及其上存储的数据可能非常危险?
When the PHP code is used in an improper way or any insecure php code, potentially it can messed up with a web hosting server and can simply be hacked by hackers. Insecure PHP code can literally harm your server data at the level you cannot even imagine it.
当PHP代码使用不当或任何不安全的php代码使用时,它可能会与虚拟主机服务器混淆,并且很容易被黑客入侵。 不安全PHP代码实际上会以您甚至无法想象的程度损害服务器数据。
Using the insecure PHP code, as a security hole hackers could enable some very dangerous and powerful PHP functions and can take control over your web hosting server. There are many such php function which should be disabled in the PHP configuration file. Let’s check out the functions that should be disabled in the php configuration file right away on your web server.
使用不安全PHP代码作为安全漏洞,黑客可以启用一些非常危险和强大PHP功能,并可以控制您的Web托管服务器。 有许多这样的php函数,应该在PHP配置文件中将其禁用。 让我们在您的Web服务器上立即检查php配置文件中应禁用的功能。
以下是危险的php函数列表: (Following is a list of dangerous php functions:)
apache_child_terminate apache_setenv define_syslog_variables escapeshellarg escapeshellcmd eval exec fp fput ftp_connect ftp_exec ftp_get ftp_login ftp_nb_fput ftp_put ftp_raw ftp_rawlist highlight_file ini_alter ini_get_all ini_restore inject_code mysql_pconnect openlog passthru php_uname phpAds_remoteInfo phpAds_XmlRpc phpAds_xmlrpcDecode phpAds_xmlrpcEncode popen posix_getpwuid posix_kill posix_mkfifo posix_setpgid posix_setsid posix_setuid posix_setuid posix_uname proc_close proc_get_status proc_nice proc_open proc_terminate shell_exec syslog system xmlrpc_entity_decode
apache_child_terminate apache_setenv define_syslog_variables escapeshellarg escapeshellcmd EVAL FP EXEC fput FTP_CONNECT ftp_exec ftp_get ftp_login ftp_nb_fput ftp_put ftp_raw ftp_rawlist highlight_file ini_alter ini_get_all ini_restore inject_code mysql_pconnect openlog 通路 php_uname phpAds_remoteInfo phpAds_XmlRpc phpAds_xmlrpcDecode phpAds_xmlrpcEncode POPEN posix_getpwuid posix_kill posix_mkfifo posix_setpgid posix_setsid posix_setuid posix_setuid posix_uname proc_close proc_get_status proc_nice proc_open proc_terminate 了shell_exec 系统日志 系统 xmlrpc_entity_decode
On the cPanel servers where PHP handler is configured to use DSO, PHP runs under nobody ownership. This may become a security hole and create major issue if you have given 777 permission. The 777 permission enables the “nobody” user to read, write and execute the file. So, its better to be careful with the permissions.
在将PHP处理程序配置为使用DSO的cPanel服务器上,PHP在没人拥有的情况下运行。 如果您已授予777许可,则这可能会成为一个安全漏洞并引起严重的问题。 777权限使“ nobody”用户可以读取,写入和执行文件。 因此,最好谨慎使用权限。
It is always recommended to set the permission to 755, so that no one can edit or change the files. The PHPsuexec function disallows the php scripts to run as 777 permissions and the files cannot be read as well. This function should always be enable for ensuring the maximum security.
始终建议将权限设置为755,以便没有人可以编辑或更改文件。 PHPsuexec函数不允许php脚本以777权限运行,并且文件也无法读取。 应始终启用此功能以确保最大的安全性。
PHP functions such as “exec” and “system” are always used to execute the external programs. Even a shell command can also be executed. If these two functions are enabled then a user can enter any command as input and execute into your server. The user can also delete all of your data simply by giving “rm -rf *” command. Even the user can enter any command simply by using (;) in the argument area. Thus, it is better to disable the “exec” and “system” functions in your php.ini configuration file.
PHP函数(例如“ exec ”和“ system ”)始终用于执行外部程序。 甚至shell命令也可以执行。 如果启用了这两个功能,则用户可以输入任何命令作为输入并执行到服务器中。 用户也可以简单地通过给出“ rm -rf *”命令来删除所有数据。 甚至用户也可以仅通过在参数区域中使用(;)来输入任何命令。 因此,最好在php.ini配置文件中禁用“ exec”和“ system”功能。
Enter the following command in ssh to find your php.ini file:
在ssh中输入以下命令以找到您的php.ini文件:
[email protected] [~]# php -i | grep php.ini
[电子邮件保护] [〜]#php -i | grep php.ini
Mostly, you will get it in the /etc/php.ini directory or you may also get in /usr/local/lib/php.ini
通常,您可以在/etc/php.ini目录中获得它,或者也可以在/usr/local/lib/php.ini中获得它。
Enter the following command to edit the file using your favorite editor. I have used VI editor here:
输入以下命令,使用您喜欢的编辑器编辑文件。 我在这里使用了VI编辑器:
[email protected] [~]# vi /etc/php.ini
[受电子邮件保护] [〜]#vi /etc/php.ini
Search for the following text “disable_functions” in the php.ini file.
在php.ini文件中搜索以下文本“ disable_functions”。
disable_functions: is a directive used to disable the insecure php functions.
disable_functions :是用于禁用不安全的php函数的指令。
Once you find the “disable_functions” directive in the configuration file, modify the disable_functions=”” as shown below:
在配置文件中找到“ disable_functions”指令后,如下所示修改disable_functions =””:
disable_functions = “apache_child_terminate, apache_setenv, define_syslog_variables, escapeshellarg, escapeshellcmd, eval, exec, fp, fput, ftp_connect, ftp_exec, ftp_get, ftp_login, ftp_nb_fput, ftp_put, ftp_raw, ftp_rawlist, highlight_file, ini_alter, ini_get_all, ini_restore, inject_code, mysql_pconnect, openlog, passthru, php_uname, phpAds_remoteInfo, phpAds_XmlRpc, phpAds_xmlrpcDecode, phpAds_xmlrpcEncode, popen, posix_getpwuid, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, posix_setuid, posix_uname, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, syslog, system, xmlrpc_entity_decode”
disable_functions =“ apache_child_terminate,apache_setenv,define_syslog_variables,escapeshellarg,escapeshellcmd,eval,exec,fp,fput,ftp_connect,ftp_exec,ftp_get,ftp_login,ftp_nb_fput,ftp_put,ftp_raw,log_,输入_,输入_i, ,通路,php_uname,phpAds_remoteInfo,phpAds_XmlRpc,phpAds_xmlrpcDecode,phpAds_xmlrpcEncode,popen方法,posix_getpwuid,posix_kill,posix_mkfifo,posix_setpgid,posix_setsid,posix_setuid,posix_setuid,posix_uname,proc_close,proc_get_status,proc_nice,proc_open,proc_terminate,了shell_exec,系统日志,系统,xmlrpc_entity_decode”
The above mentioned changes can be applied on both Linux as well as Windows servers.
上述更改可以在Linux和Windows服务器上应用。
Once you modify the php.ini configuration file, you will need to restart the Apache web server on Linux server and IIS web server on Windows server for changes to take effect.
修改php.ini配置文件后,需要重新启动Linux服务器上的Apache Web服务器和Windows服务器上的IIS Web服务器 ,以使更改生效。
After disabling the above dangerous php functions, you may encounter a problem with your web applications. For example: when you disable the “shell_exec” and visit Fantastico in the cPanel, you may see the below error:
禁用上述危险的php函数后,您的Web应用程序可能会遇到问题。 例如:当禁用“ shell_exec ”并访问cPanel中的Fantastico时,您可能会看到以下错误:
Warning: shell_exec() has been disabled for security reasons in /tmp/cpanel_phpengine.*.* on line *
警告:出于安全原因,已在/tmp/cpanel_phpengine.*.*行*上禁用了shell_exec()
In this case, you should run the following from SSH:
在这种情况下,您应该从SSH运行以下命令:
/scripts/makecpphp
/脚本/ makecpphp
The above command will install a copy of PHP to use with the cPanel/WHM backend and its addons like Fantastico.
上面的命令将安装一个PHP副本,以与cPanel / WHM后端及其附件(如Fantastico)一起使用。
—
—
Like this post ?
喜欢这个职位吗?
Share on your Social Networking Profile ( Facebook, Twitter & Google+ ) and get a flat 10% Recurring discount on our VPS Hosting and Dedicated Servers.
在您的社交网络配置文件(Facebook,Twitter和Google+)上共享,并在我们的VPS托管和专用服务器上获得10%的固定定期折扣。
Email us the shared link at : [email protected] or speak to our live chat operator now, by clicking on the “Live Chat” Scroller on the left-hand side of this page and we will provide you with the discount Coupon right away!
通过以下电子邮件将共享链接发送给我们: [受电子邮件保护],或通过单击此页面左侧的“实时聊天”滚动条立即与我们的实时聊天操作员联系,我们将立即为您提供折扣优惠券!
翻译自: https://www.eukhost.com/blog/webhosting/dangerous-php-functions-must-be-disabled/
503
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
