-
Notifications
You must be signed in to change notification settings - Fork 0
/
LockDownDangerousPHPfunctions.txt
53 lines (40 loc) · 2.63 KB
/
LockDownDangerousPHPfunctions.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
GPT
To enhance the security of your PHP environment, you can restrict the use of certain functions and classes that can perform system-level tasks or potentially compromise server security. This can be effectively done through the PHP configuration file (php.ini). Here, I'll guide you through how to disable specific functions and classes using the disable_functions and disable_classes directives in your php.ini.
Disabling Dangerous PHP Functions
Locate Your php.ini File: This file can typically be found in different locations depending on your operating system and server setup:
For Ubuntu with Apache, it’s often in /etc/php/[version]/apache2/php.ini.
For CentOS with Apache, you might find it in /etc/php.ini.
For XAMPP installations, it’s usually in xampp/php/php.ini.
Edit the php.ini File: Open your php.ini file with a text editor. You may need administrative rights to do this.
Find or Add disable_functions: Look for the line starting with disable_functions. If it’s not there, you can add it under the [PHP] section. Specify the functions you want to disable, separated by commas.
Example configuration:
# php.ini
#
disable_functions = exec, shell_exec, system, passthru, proc_open, popen, curl_exec, curl_multi_exec
Save the Changes and restart your web server to apply the new configuration. The command to restart the server varies:
For Apache on Ubuntu: sudo systemctl restart apache2
For Apache on CentOS: sudo systemctl restart httpd
For XAMPP: You can restart Apache via the XAMPP control panel.
Disabling Specific Classes
If there are any PHP classes that pose a security risk or are unnecessary for your application, you can disable them using the disable_classes directive in the same php.ini file.
Edit the php.ini File: Just as you did for functions, open the file and look for the disable_classes directive. If it’s not present, add it under the [PHP] section.
Specify Classes to Disable: Add the class names you wish to disable, separated by commas.Example configuration:
# php.ini
disable_classes = DirectoryIterator, ReflectionClass
; Comments can be # or ; - evaluate the other classes . disable all (i leave curl enabled)
service apache2 restart
To ensure that your changes have taken effect, you can create a simple PHP script that attempts to use one of the disabled functions or classes:
Verify:
Create file testexec.php:
bash$ >testexec.php
vi testexec.php - paste in the following and hit ESC Z Z (write quit)
<?php
if (function_exists('exec')) {
echo "exec is enabled";
} else {
echo "exec is disabled";
} ?>
--- Back at bash prompt type:
bash$ php testexec.php
exec is disabled
# This validates that the change(s) worked