exec() and shell_exec() enabled for spamexperts plugin, security issue ?

W

wouta

Verified User
Joined
Mar 27, 2021
Messages
5
Dear,

I try to use the spamexpert plugin. Now i saw the follow error when i create or delete a domain.
PHP Notice: Undefined variable: output in /usr/local/directadmin/plugins/latest/lib/Configuration.php on line 56
PHP Notice: Undefined variable: return in /usr/local/directadmin/plugins/latest/lib/Configuration.php on line 56
PHP Warning: exec() has been disabled for security reasons in /usr/local/directadmin/plugins/latest/lib/Configuration.php on line 56
PHP Notice: Undefined variable: output in /usr/local/directadmin/plugins/latest/lib/Configuration.php on line 58
PHP Warning: implode(): Invalid arguments passed in /usr/local/directadmin/plugins/latest/lib/Configuration.php on line 58
Click to expand...

I have the enabling exec and shell_exec done via /usr/local/directadmin/custombuild/custom/php_disable_functions so now every body can use exec, shell_exec function i geuss. However my user are all using php selector form cloudlinux.

Now i have enabled exec and shell_exec but i doubt if this realy the best solution for this isseu and my feeling says this is a potential high risk solution. Are there better ways to do this ?
 
Hi,


I have add a other solution for now. Maybe it will help others with this issue.

It turns out that a php file is being called from a bash script. What I'm doing now as a workaround is when the script call the php script i add a disabled_function.
change in the plugin dir scripts/hooks/domain_create_post
Code: 
php /usr/local/directadmin/plugins/latest/hooks/scripts/domain_create_post.php $domain
to
Code: 
php -d disable_functions="" /usr/local/directadmin/plugins/latest/hooks/scripts/domain_create_post.php $domain

I have not yet tested whether this is also necessary for other scripts.
 
Last edited:
You must log in or register to reply here.
Back
Top