X-Cart: shopping cart software

X-Cart forums (https://forum.x-cart.com/index.php)
-   General questions (X-Cart 5) (https://forum.x-cart.com/forumdisplay.php?f=66)
-   -   PHP Settings & Secure Server for XC5 (https://forum.x-cart.com/showthread.php?t=75644)

Triple A Racing 08-29-2017 08:25 PM
PHP Settings & Secure Server for XC5
 
Can the X-Cart Dev Team and/or X-Cart Support Team please confirm that by following this (Non-X-Cart) server user's group technical recommendation, XC5 will still run like normal i.e. 100% unaffected. We think the answer is yes, but regardless of the current status of our own setup, confirmation from a team with a much better XC5 product knowledge than us, will help other XC5 store owners too when they read this thread :wink:
Quote:
For security reasons, all these PHP functions should be disabled: exec, passthru, shell_exec, system, popen, show_source, pcntl_exec, proc_open, proc_terminate, proc_close and pfsockopen

qualiteam 08-30-2017 12:18 AM
Re: PHP Settings & Secure Server for XC5
 
At least exec() is in the list of functions that should not be disabled on the server.
You can find the full list in \Includes\Requirements::getRequiredFunctions().

I'm not sure about the other functions. I see that some of them are not listed as required, but are called in source files (for example, popen() is used by PHPMailer library). Perhaps, it is because PHPMailer is an optional feature, so X-Cart technically can work without it.

Triple A Racing 08-30-2017 12:47 AM
Re: PHP Settings & Secure Server for XC5
 
Quote:
Originally Posted by qualiteam
At least exec() is in the list of functions that should not be disabled on the server.
You can find the full list in \Includes\Requirements::getRequiredFunctions(). I'm not sure about the other functions. I see that some of them are not listed as required, but are called in source files (for example, popen() is used by PHPMailer library). Perhaps, it is because PHPMailer is an optional feature, so X-Cart technically can work without it.
Thank you! Yes \Includes\Requirements::getRequiredFunctions() in XC 5.3.3.3 for the record and info for others, currently comprises of:
Code:
/**
    * @return array
    */
    private static function getRequiredFunctions()
    {
        return [
            'func_num_args', 'func_get_arg', 'func_get_args', 'strlen',
            'strcmp', 'strncmp', 'strcasecmp', 'strncasecmp',
            'each', 'error_reporting', 'define', 'defined',
            'get_class', 'get_called_class', 'get_parent_class', 'method_exists',
            'property_exists', 'class_exists', 'interface_exists', 'function_exists',
            'get_included_files', 'is_subclass_of', 'is_a', 'get_class_vars',
            'get_object_vars', 'set_error_handler', 'restore_error_handler', 'set_exception_handler',
            'get_declared_classes', 'get_resource_type', 'extension_loaded', 'debug_backtrace',
            'debug_print_backtrace', 'strtotime', 'date', 'gmdate',
            'mktime', 'strftime', 'time', 'getdate',
            'date_create', 'date_default_timezone_set', 'date_default_timezone_get',
            'preg_match', 'preg_match_all', 'preg_replace', 'preg_replace_callback',
            'preg_split', 'preg_quote', 'preg_grep', 'preg_last_error',
            'ctype_alpha', 'ctype_digit',
            'filter_var', 'filter_var_array', 'hash_hmac', 'json_encode',
            'json_decode',
            'spl_autoload_register', 'spl_autoload_unregister', 'spl_autoload_functions',
            'class_parents', 'class_implements', 'spl_object_hash', 'iterator_to_array',
            'simplexml_load_file', 'constant',
            'sleep', 'flush', 'htmlspecialchars', 'htmlentities',
            'html_entity_decode', 'get_html_translation_table', 'sha1', 'md5',
            'md5_file', 'crc32', 'getimagesize', 'phpinfo',
            'phpversion', 'substr_count', 'strspn', 'strcspn',
            'strtok', 'strtoupper', 'strtolower', 'strpos',
            'stripos', 'strrpos', 'strrev', 'nl2br',
            'basename', 'dirname', 'pathinfo', 'stripslashes',
            'stripcslashes', 'strstr', 'stristr', 'str_split',
            'substr', 'substr_replace', 'ucfirst', 'lcfirst',
            'ucwords', 'strtr', 'addslashes', 'addcslashes',
            'rtrim', 'str_replace', 'str_ireplace', 'str_repeat',
            'chunk_split', 'trim', 'ltrim', 'strip_tags',
            'explode', 'implode', 'join', 'setlocale',
            'chr', 'ord', 'parse_str', 'str_pad',
            'chop', 'sprintf', 'printf', 'sscanf',
            'parse_url', 'urlencode', 'urldecode', 'http_build_query',
            'unlink', 'exec', 'escapeshellcmd', 'escapeshellarg',
            'rand', 'srand', 'mt_rand', 'mt_srand',
            'getmypid', 'base64_encode', 'abs', 'ceil',
            'floor', 'round', 'is_infinite', 'pow',
            'log', 'sqrt', 'hexdec', 'octdec',
            'dechex', 'base_convert', 'number_format', 'getenv',
            'putenv', 'microtime', 'uniqid', 'quoted_printable_encode',
            'set_time_limit', 'get_magic_quotes_gpc', 'get_magic_quotes_runtime',
            'error_log', 'error_get_last', 'call_user_func', 'call_user_func_array',
            'serialize', 'unserialize', 'var_dump', 'var_export',
            'print_r', 'memory_get_usage', 'memory_get_peak_usage', 'register_shutdown_function',
            'ini_get', 'ini_set', 'get_include_path', 'set_include_path', 'setcookie',
            'header', 'headers_sent', 'parse_ini_file', 'is_uploaded_file',
            'move_uploaded_file', 'intval', 'floatval', 'doubleval',
            'strval', 'gettype', 'is_null', 'is_resource',
            'is_bool', 'is_float', 'is_int', 'is_integer',
            'is_numeric', 'is_string', 'is_array', 'is_object',
            'is_scalar', 'is_callable', 'pclose', 'popen',
            'readfile', 'rewind', 'rmdir', 'umask',
            'fclose', 'feof', 'fgets', 'fread',
            'fopen', 'fstat', 'fflush', 'fwrite',
            'fputs', 'mkdir', 'rename', 'copy',
            'tempnam', 'file', 'file_get_contents', 'file_put_contents',
            'stream_context_create', 'stream_context_set_params', 'stream_filter_append', 'stream_filter_remove',
            'stream_socket_enable_crypto', 'stream_get_contents', 'flock', 'stream_get_meta_data',
            'stream_set_timeout', 'socket_set_timeout', 'socket_get_status', 'realpath',
            'fsockopen', 'pack', 'unpack', 'opendir',
            'closedir', 'chdir', 'getcwd', 'readdir',
            'glob', 'filemtime', 'fileperms', 'filesize',
            'file_exists', 'is_writable', 'is_readable', 'is_executable',
            'is_file', 'is_dir', 'is_link', 'chmod',
            'touch', 'clearstatcache', 'disk_free_space', 'mail',
            'openlog', 'syslog', 'closelog', 'ob_start',
            'ob_flush', 'ob_clean', 'ob_end_clean', 'ob_get_clean',
            'ob_get_contents', 'ksort', 'krsort', 'asort',
            'sort', 'usort', 'uasort', 'uksort',
            'array_walk', 'array_walk_recursive', 'count', 'end',
            'next', 'reset', 'current', 'key',
            'min', 'max', 'in_array', 'array_search',
            'compact', 'array_fill', 'array_fill_keys', 'range',
            'array_multisort', 'array_push', 'array_pop', 'array_shift',
            'array_unshift', 'array_splice', 'array_slice', 'array_merge',
            'array_merge_recursive', 'array_replace_recursive', 'array_keys', 'array_values',
            'array_count_values', 'array_reverse', 'array_reduce', 'array_pad',
            'array_flip', 'array_change_key_case', 'array_unique', 'array_intersect',
            'array_intersect_key', 'array_diff', 'array_diff_key', 'array_diff_assoc',
            'array_udiff_assoc', 'array_sum', 'array_filter', 'array_map',
            'array_chunk', 'array_combine', 'array_key_exists', 'version_compare',
            'stream_get_filters', 'sys_get_temp_dir', 'token_get_all', 'xml_parser_create',
            'xml_parse_into_struct', 'xml_get_error_code', 'xml_error_string', 'xml_get_current_byte_index',
            'xml_parser_free',
        ];
    }
So there are only the two you have mentioned, that appear (from this check list anyway) to possibly need further investigation (by us) with the other group as to why / which user adds a risk etc

Triple A Racing 09-01-2017 05:41 PM
Re: PHP Settings & Secure Server for XC5
 
The feedback relates to server admin, but specifically when dealing with shared space and/or VPS customers etc. Allowing free, uncontrolled access to all of the PHP functions shown in our first post may give rise to vulnerability, especially exec() or shell_exec() in PHP, where it can be easy to create a symlink and thus unchecked FollowSymLinks availability can arise.... No problem for us, as we're not involved with any shared space / VPS etc but others might be.

cflsystems 01-25-2018 08:40 AM
Re: PHP Settings & Secure Server for XC5
 
I just had this in admin on a client's site

Quote:
Disabled functions
Some functions, used by X-Cart, are found disabled. Make sure that these functions are not listed in "disable_functions" option and all php extensions required for these functions availability are enabled in the php.ini file. Please correct this and try again.

and the description for missing functions is

Quote:
The following functions are disabled:
:missedFunctions
These functions may be used by the software in some cases and should be enabled.

Latest 5.3.4.4 - so this is a bug? All ok but for some reason XC lists this error message? If not where is the list of disabled function(s) in here?

Triple A Racing 01-25-2018 05:14 PM
Re: PHP Settings & Secure Server for XC5
 
Never, ever seen that message ourselves. Interesting! The (lack of) information which is then provided :missedFunctions etc isn't very helpful :D XC?


All times are GMT -8. The time now is 09:40 AM.

Powered by vBulletin Version 3.5.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.