• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

PHP function exec via the disable_functions directive in php.ini

PabloC

New member
#1
Hi,

I am thinking about moving a vBulletin 4 to Xenforo. I installed in my server xenforo-requirements-test and I got a message like this:

Your server has disabled a core PHP function exec via the disable_functions directive in php.ini. This may cause unexpected problems in XenForo.
I am not an expert sysadmin, so I checked and found this:

PHP functions such as “exec” and “system” are always used to execute the external programs. Even a shell command can also be executed. If these two functions are enabled then a user can enter any command as input and execute into your server. The user can also delete all of your data simply by giving “rm -rf *” command. Even the user can enter any command simply by using ( ; ) in the argument area. Thus, it is better to disable the “exec” and “system” functions in your php.ini configuration file.
I have installed a few Wordpress, phpBB and a couple of other software, and I would like to know what extra security measures do I need to observe after I enable this.
Is this absolutely necessary for Xenforo to work?

Thanks
 

DragonByte Tech

Well-known member
#2
The recommendation to disable those functions is to limit any damage done by malicious scripts that have already been uploaded to your system. In other words, if your system is already compromised in some lesser way, disabling those functions may help prevent your system from being compromised in a bigger way.

In short, those functions are perfectly safe so long as you take the rest of your server security seriously; enforce Two-Factor Authentication for all staff accounts, keep your FTP account secure by using a complex password, and don't install add-ons from authors you don't trust.


Fillip
 

Mike

XenForo developer
Staff member
#3
Is this absolutely necessary for Xenforo to work?
No, as we just trigger this as an warning (rather than a blocker). As of right now, this function is mostly used by our Media Gallery add-on for video processing via FFmpeg. If you wanted to use that add-on and pull thumbnails from videos or transcode the videos to ensure that users can view them, then that wouldn't function.

In the future, it's very possible that we will expand the functionality within XenForo and use that function, but it's use is pretty specific right now.