Disable dangerous php functions in php.ini to reduce security exploits

Discussions about server security -- questions and answeres

Moderators: egami, macek, gesf

Post Reply
User avatar
phpexploit
New php-forum User
New php-forum User
Posts: 4
Joined: Sun Jul 11, 2021 2:37 am

Sun Jul 11, 2021 4:51 am

Hello greetings I want to disable dangerous php functions in php.ini on Apache webserver with PHP 7.4 to reduce exploits and close some security holes!

I have collected a list from multiple sites that I've found around on the internet to disable dangerous php functions. I have post the whole list below. I want to know what functions are all valid and still working to remove any deprecated or obsolete php functions? Also what php functions can I add that are missing to improve security?

Code: Select all

disable_functions = exec,passthru,system,proc_open,popen,curl_exec,curl_multi_exec,show_source,readfile,escapeshellarg,escapeshellcmd,dl,pg_lo_import,dbmopen,dbase_open,chgrp,chown,chmod,symlink,pclose,apache_child_terminate,apache_setenv,apache_getenv,apache_get_modules,apache_get_version,apache_lookup_uri,apache_note,apache_request_headers,apache_reset_timeout,apache_response_headers,define_syslog_variables,proc_open,proc_close,proc_nice,proc_terminate,proc_get_status,eval,fput,ftp_connect,ftp_exec,ftp_get,ftp_login,ftp_nb_fput,ftp_put,ftp_raw,ftp_rawlist,highlight_file,inject_code,openlog,php_uname,phpAds_remoteInfo,phpAds_XmlRpc,phpAds_xmlrpcDecode,phpAds_xmlrpcEncode,syslog,xmlrpc_entity_decode,phpinfo,gzinflate,fsockopen,pfsockopen,getmyuid,getmypid,leak,listen,diskfreespace,tmpfile,link,ignore_user_abordsource,fpaththru,virtual,posix_kill,posix_setpgid,posix_setsid,posix_getpwuid,posix_mkfifo,posix_uname,posix_getcwd,posix_getegid,posix_geteuid,posix_getgid,posix_getgrgid,posix_getgrnam,posix_getgroups,posix_getlogin,posix_getpgid,posix_getpgrp,posix_getpid,posix_getppid,posix_getpwnam,posix_getrlimit,posix_getsid,posix_getuid,posix_isatty,posix_setegid,posix_seteuid,posix_setgid,posix_times,posix_ttyname,posix_ctermid,posix_access,posix_mknod,posix_setp,closelog,debugger_off,debugger_on,define_syslog_var,disk_free_space,ftok,limit,mysql_list_dbs,mysql_pconnect,pg_host,reaink,safe_dir,satty,set_time,socket_accept,socket_bind,socket_clear_errorsocket_close,socket_connect,fput,pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority

I have excluded the php functions in the list below or else they cause conflicts and problems with Matomo analytics. I also use joomla, wordpress+elementor and tiki cms on my webserver. Let me know if some disabled php functions can cause any conflicts in the list above? Thanks for the advice.


shell_exec (required by Matomo!)
ini_set (required by Matomo!)
ini_alter (does matomo or any app I use need this?)
ini_restore (does matomo or any app I use need this?)
ini_get_all (required by Matomo!)
parse_ini_file (required by Matomo!)
parse_ini_string (required by Matomo!)
allow_url_fopen (required by Matomo!)
set_time_limit (required by Matomo!)
scandir (required by some Matomo plugin!)
User avatar
Strider64
php-forum GURU
php-forum GURU
Posts: 429
Joined: Sat Mar 23, 2013 8:24 am
Location: Livonia, MI
Contact:

Sun Jul 11, 2021 5:19 am

You want to disable functions that are security risks in PHP? That doesn't make sense.

Simply don't use them
Life is a fig newton of your imagination! https://www.phototechguru.com/
User avatar
phpexploit
New php-forum User
New php-forum User
Posts: 4
Joined: Sun Jul 11, 2021 2:37 am

Sun Jul 11, 2021 7:50 am

Why you say so? Please eplain?
User avatar
phpexploit
New php-forum User
New php-forum User
Posts: 4
Joined: Sun Jul 11, 2021 2:37 am

Sun Jul 11, 2021 1:09 pm

When you disable php functions you don't use you disable certain exploits or else hackers can call up php functions to execute remote exploit code with 0day exploits to hijack your webserver and website.
User avatar
phpexploit
New php-forum User
New php-forum User
Posts: 4
Joined: Sun Jul 11, 2021 2:37 am

Sun Jul 11, 2021 1:36 pm

For stupid people it makes no sense for smart people it makes sense!
simonbrahan
php-forum Super User
php-forum Super User
Posts: 153
Joined: Mon Jun 08, 2020 2:00 am
Contact:

Sun Jul 11, 2021 11:38 pm

This is a decent list. Disabling them outright is likely to cause problems though; it wouldn't surprise me if the PHP applications you're running rely on a few of those functions.

Rather than blindly disabling stuff, you should take the time to understand what code you're running and where the risks are.
Post Reply