php security: disable functions

Case Study:
Some small hosting company provides web hosting service to its clients. The machine runing web server also acts as an email server, which function very well. Then one day, one of its client wrote some php scripts, which allow users to upload a file containing a list of email addresses, and send email to these thousands of addresses. As a result, system load increased ,server responsiveness lowered, normal email transaction slows down.

This kind of abuse have a great impact on the overall server performance and mail server reputation(may make it blacklisted by other mail server). So, if service policy with client allow, mail function(maybe other) can be disabled to prevent this. A php.ini configuration directive called disable_functions can help.

disable_functions = mail,exec,shell_exec,passthru,system,proc_open,popen

Note: This directive must be set in php.ini. For example, you cannot set this in httpd.conf.

The above example will disable the mail function, also, it will disable other exec related functions so that user will not be able to run command to send email. In fact, disabling these other functions may help to reduce possible damages when web site is exploited by script-kiddies.

Furthermore, when use php with FastCGI, each virtual host can has its different php.ini, which allows one site to disable some functions, and others enable them.

In fact, this is not the sole solution to this case, neither the best. We can, for example, change the mail server configuration to accomplish the same target.

This entry was posted in Email, Security, System Administration, Web and tagged , , , . Bookmark the permalink.

Leave a Reply