PHP function exec via the disable_functions directive in php.ini

PabloC

PabloC

Member
Hi,

I am thinking about moving a vBulletin 4 to Xenforo. I installed in my server xenforo-requirements-test and I got a message like this:

Your server has disabled a core PHP function exec via the disable_functions directive in php.ini. This may cause unexpected problems in XenForo.
Click to expand...

I am not an expert sysadmin, so I checked and found this:

PHP functions such as “exec” and “system” are always used to execute the external programs. Even a shell command can also be executed. If these two functions are enabled then a user can enter any command as input and execute into your server. The user can also delete all of your data simply by giving “rm -rf *” command. Even the user can enter any command simply by using ( ; ) in the argument area. Thus, it is better to disable the “exec” and “system” functions in your php.ini configuration file.
Click to expand...

I have installed a few Wordpress, phpBB and a couple of other software, and I would like to know what extra security measures do I need to observe after I enable this.
Is this absolutely necessary for Xenforo to work?

Thanks
 
Sort by date Sort by votes
The recommendation to disable those functions is to limit any damage done by malicious scripts that have already been uploaded to your system. In other words, if your system is already compromised in some lesser way, disabling those functions may help prevent your system from being compromised in a bigger way.

In short, those functions are perfectly safe so long as you take the rest of your server security seriously; enforce Two-Factor Authentication for all staff accounts, keep your FTP account secure by using a complex password, and don't install add-ons from authors you don't trust.


Fillip
 
Upvote 0 Downvote
PabloC said:
Is this absolutely necessary for Xenforo to work?
Click to expand...
No, as we just trigger this as an warning (rather than a blocker). As of right now, this function is mostly used by our Media Gallery add-on for video processing via FFmpeg. If you wanted to use that add-on and pull thumbnails from videos or transcode the videos to ensure that users can view them, then that wouldn't function.

In the future, it's very possible that we will expand the functionality within XenForo and use that function, but it's use is pretty specific right now.
 
Upvote 0 Downvote

Similar threads

vinnymickey
  • Question Question
XF 2.1 proc_open() has been disabled & disabled a fundamental core PHP function ini_set
Replies
6
Views
1K
vinnymickey
vinnymickey
vbuser
  • Question Question
XF 2.0 Your server has disabled a core PHP function exec
Replies
9
Views
3K
Mike
Mike
V
  • Question Question
XF 2.0 Your server has disabled a core PHP function...
Replies
11
Views
8K
Chris D
Chris D
polle
  • Question Question
XF 1.3 PHP functions via the disable_functions directive in php.ini
Replies
18
Views
2K
euantor
euantor
Skylined
  • Question Question
XF 1.3 Upgrading to 1.3 - disabled core PHP functions disable_functions in php.ini
Replies
16
Views
4K
DRaver
DRaver
Top Bottom