Disable Dangerous Functions in PHP
What to Do
Disable unused dangerous functions by configuring PHP. Verify that if dangerous functions are used, they are used safely.
Disabling dangerous functions helps make sure they are not used by the application and prevents attackers from using them. Most dangerous functions allow executing external system commands - this functionality is inherently dangerous, because it may allow command injection vulnerabilities if not implemented correctly. It is best to avoid such functions, if possible. If executing system commands is required, extra caution has to be taken when writing such code.
Disabling dangerous functions also makes privilege escalation more difficult for attackers. Many common attacks on PHP applications involve attackers uploading so-called "Web Shells", which are scripts that give the attacker access to system functions for the purpose of taking over the web server. Web Shells typically use the dangerous PHP functions for access to system commands. Disabling dangerous PHP functions makes using Web Shells more difficult, thus adding an extra layer of defense.
To disable dangerous functions:
- Search code for dangerous functions. Search application code for the following functions and operator(s):
- ' (backtick operator)
Make a list of used dangerous functions.
- Identify dangerous functions that are not used. Make a list of the functions that are not used in your application, by copying the list from Step 1 and removing any dangerous functions that are used from it.
- Disable unused dangerous functions. Use the list from Step 2 to disable unused dangerous functions in the php.ini file by using the disable_functions directive, like so:
- Review all instances of used dangerous functions. Make sure that each case of using a dangerous function is necessary and is done in accordance with best practices. For code that passes arguments to shell commands, use escapeshellarg() to prevent command injection vulnerabilities. Use absolute paths when executing external commands. Do not let users execute arbitrary commands. Be particularly careful with the backtick (') operator.
disable_functions = system, exec, shell_exec, passthru, popen, proc_open, parse_ini_file, show_shource, symlink.