cPanel & WHM Version 98 has been released, and brings a slew of great updates. Take a look at what is included, and then upgrade today!

Default php.ini should be correctly hardened

point_and_click shared this idea 8 years ago
Completed

Some elements of the default php.ini are somewhat insecure, two examples :


(1) The "error_log" parameter is currently simply set to "error_log" .... this means that error logs are dumped into public_html areas by default .... not cool !


(2) The PHP is default configured to dump errors on screen instead of log them


(3) No functions are disabled by default, it would be good to disable some high-risk functions (e.g. allow_url_include,allow_webdav_methods,system, exec, shell_exec, passthru, show_source, popen, proc_open,fopen_with_path, dbmopen, dbase_open, putenv, move_uploaded_file,chdir, mkdir, rmdir, chmod, rename,filepro, filepro_rowcount, filepro_retrieve, posix_mkfifo)

Replies (4)

photo
1

CPanel is meant for all types of users. Eliminating some of these functions would largely disrupt many software packages. (EX: disabling move_uploaded_file). This would make any php script that uploads impossible to use. I disagree with disabling functions that are widely used in the scripting world. Perhaps users should learn to code securely and stop blaming the software they run on. Do you ask perl or ruby to remove commands because they could be a security issue. They have the same functions, the could cause security issues. They just aren't as user friendly as PHP for new users.

photo
1

Ryan Schaffner wrote:

CPanel is meant for all types of users. Eliminating some of these functions would largely disrupt many software packages. (EX: disabling move_uploaded_file). This would make any php script that uploads impossible to use. I disagree with disabling functions that are widely used in the scripting world. Perhaps users should learn to code securely and stop blaming the software they run on. Do you ask perl or ruby to remove commands because they could be a security issue. They have the same functions, the could cause security issues. They just aren't as user friendly as PHP for new users.
Unfortunatley I do not buy that argument.


Cpanel is made for hosting providers. Those hosting providers have an inherent obligation to protect the security of their networks and the integrity of data of other customers.


Some smaller hosting providers may not have the hosting know-how and may just install Cpanel and leave it with an "out of the box" configuration. Therefore, the out of the box configuration should be more secure.

photo
1

With EasyApache 4, we've done some hardening on the PHP configurations, including turning off display_errors, expose_php, and allow_url_*.

We decided not to adjust any disabled_functions as we deemed them too risky to enable by default, especially since there are easy ways to bypass some of those functions.

photo
1

EasyApache 4 has been released to the CURRENT tier, which includes a hardened PHP configuration.

Replies have been locked on this page!