(02-15-2020, 12:24 AM)Ron-e Wrote: issn't the shell_exec function disabled by default tru suhosin?
So if you can run shell_exec you costumed Sentora and you compromised the security of Sentora yourself or suhosin is broken.
I got this message:
When executing:
Code:<?php
ini_set('display_errors', 1);
ini_set('display_startup_errors', 1);
error_reporting(E_ALL);
echo shell_exec("cat /etc/sentora/panel/cnf/db.php");
?>
Well it seems that i did my self, but shouldn't the admin be able to just enable some commands to some users?
I believe that some commands are crucial for web development and exec is one of them.
Maybe locking php interpreter inside a user virtual home would be a solution to that.
Anyway as stated i do not use the cpanel for commercial use so i can't find any security issues by enabling some commands as i am the only one that has access to php but on the other hand i can think some situations were a simple code injection could be catastrophic.
What is your opinion on that, am i safe with disabled suhosin as long as i am the only one with access to server?
Thank you.
