Follow us on Twitter X-Cart on Facebook Wiki
Shopping cart software Solutions for online shops and malls

PHP Settings & Secure Server for XC5

 
Reply
   X-Cart forums > X-Cart 5 > General questions (X-Cart 5)
 
Thread Tools Search this Thread
  #1  
Old 08-29-2017, 08:25 PM
 
Triple A Racing Triple A Racing is offline
 

X-Adept
  
Join Date: Jul 2008
Location: Manchester UK
Posts: 998
 

Default PHP Settings & Secure Server for XC5

Can the X-Cart Dev Team and/or X-Cart Support Team please confirm that by following this (Non-X-Cart) server user's group technical recommendation, XC5 will still run like normal i.e. 100% unaffected. We think the answer is yes, but regardless of the current status of our own setup, confirmation from a team with a much better XC5 product knowledge than us, will help other XC5 store owners too when they read this thread
Quote:
For security reasons, all these PHP functions should be disabled: exec, passthru, shell_exec, system, popen, show_source, pcntl_exec, proc_open, proc_terminate, proc_close and pfsockopen
__________________
Dev Store & Live Store: XC Business 5.4.1.29
Server; Ubuntu 20.04.2 LTS (HWE 5.8.0-63.71 Kernel) / Plesk Obsidian
Nginx 1.20.1 / Apache 2.4.41 (Ubuntu Backported) / MariaDB 10.5.11 / PHP 7.4.21
Reply With Quote

The following user thanks Triple A Racing for this useful post:
kevinrm (01-25-2018)
  #2  
Old 08-30-2017, 12:18 AM
  qualiteam's Avatar 
qualiteam qualiteam is offline
 

X-Guru
  
Join Date: Dec 2010
Posts: 6,373
 

Default Re: PHP Settings & Secure Server for XC5

At least exec() is in the list of functions that should not be disabled on the server.
You can find the full list in \Includes\Requirements::getRequiredFunctions().

I'm not sure about the other functions. I see that some of them are not listed as required, but are called in source files (for example, popen() is used by PHPMailer library). Perhaps, it is because PHPMailer is an optional feature, so X-Cart technically can work without it.
__________________
Alex Solovev,
Qualiteam

---

User manual Video tutorials X-Cart FAQ

You are welcome to press "Thanks" button
if you find this post useful

Click here to learn how to apply patches

X-Cart Extensions
Reply With Quote

The following user thanks qualiteam for this useful post:
Triple A Racing (08-30-2017)
  #3  
Old 08-30-2017, 12:47 AM
 
Triple A Racing Triple A Racing is offline
 

X-Adept
  
Join Date: Jul 2008
Location: Manchester UK
Posts: 998
 

Default Re: PHP Settings & Secure Server for XC5

Quote:
Originally Posted by qualiteam
At least exec() is in the list of functions that should not be disabled on the server.
You can find the full list in \Includes\Requirements::getRequiredFunctions(). I'm not sure about the other functions. I see that some of them are not listed as required, but are called in source files (for example, popen() is used by PHPMailer library). Perhaps, it is because PHPMailer is an optional feature, so X-Cart technically can work without it.
Thank you! Yes \Includes\Requirements::getRequiredFunctions() in XC 5.3.3.3 for the record and info for others, currently comprises of:
Code:
/** * @return array */ private static function getRequiredFunctions() { return [ 'func_num_args', 'func_get_arg', 'func_get_args', 'strlen', 'strcmp', 'strncmp', 'strcasecmp', 'strncasecmp', 'each', 'error_reporting', 'define', 'defined', 'get_class', 'get_called_class', 'get_parent_class', 'method_exists', 'property_exists', 'class_exists', 'interface_exists', 'function_exists', 'get_included_files', 'is_subclass_of', 'is_a', 'get_class_vars', 'get_object_vars', 'set_error_handler', 'restore_error_handler', 'set_exception_handler', 'get_declared_classes', 'get_resource_type', 'extension_loaded', 'debug_backtrace', 'debug_print_backtrace', 'strtotime', 'date', 'gmdate', 'mktime', 'strftime', 'time', 'getdate', 'date_create', 'date_default_timezone_set', 'date_default_timezone_get', 'preg_match', 'preg_match_all', 'preg_replace', 'preg_replace_callback', 'preg_split', 'preg_quote', 'preg_grep', 'preg_last_error', 'ctype_alpha', 'ctype_digit', 'filter_var', 'filter_var_array', 'hash_hmac', 'json_encode', 'json_decode', 'spl_autoload_register', 'spl_autoload_unregister', 'spl_autoload_functions', 'class_parents', 'class_implements', 'spl_object_hash', 'iterator_to_array', 'simplexml_load_file', 'constant', 'sleep', 'flush', 'htmlspecialchars', 'htmlentities', 'html_entity_decode', 'get_html_translation_table', 'sha1', 'md5', 'md5_file', 'crc32', 'getimagesize', 'phpinfo', 'phpversion', 'substr_count', 'strspn', 'strcspn', 'strtok', 'strtoupper', 'strtolower', 'strpos', 'stripos', 'strrpos', 'strrev', 'nl2br', 'basename', 'dirname', 'pathinfo', 'stripslashes', 'stripcslashes', 'strstr', 'stristr', 'str_split', 'substr', 'substr_replace', 'ucfirst', 'lcfirst', 'ucwords', 'strtr', 'addslashes', 'addcslashes', 'rtrim', 'str_replace', 'str_ireplace', 'str_repeat', 'chunk_split', 'trim', 'ltrim', 'strip_tags', 'explode', 'implode', 'join', 'setlocale', 'chr', 'ord', 'parse_str', 'str_pad', 'chop', 'sprintf', 'printf', 'sscanf', 'parse_url', 'urlencode', 'urldecode', 'http_build_query', 'unlink', 'exec', 'escapeshellcmd', 'escapeshellarg', 'rand', 'srand', 'mt_rand', 'mt_srand', 'getmypid', 'base64_encode', 'abs', 'ceil', 'floor', 'round', 'is_infinite', 'pow', 'log', 'sqrt', 'hexdec', 'octdec', 'dechex', 'base_convert', 'number_format', 'getenv', 'putenv', 'microtime', 'uniqid', 'quoted_printable_encode', 'set_time_limit', 'get_magic_quotes_gpc', 'get_magic_quotes_runtime', 'error_log', 'error_get_last', 'call_user_func', 'call_user_func_array', 'serialize', 'unserialize', 'var_dump', 'var_export', 'print_r', 'memory_get_usage', 'memory_get_peak_usage', 'register_shutdown_function', 'ini_get', 'ini_set', 'get_include_path', 'set_include_path', 'setcookie', 'header', 'headers_sent', 'parse_ini_file', 'is_uploaded_file', 'move_uploaded_file', 'intval', 'floatval', 'doubleval', 'strval', 'gettype', 'is_null', 'is_resource', 'is_bool', 'is_float', 'is_int', 'is_integer', 'is_numeric', 'is_string', 'is_array', 'is_object', 'is_scalar', 'is_callable', 'pclose', 'popen', 'readfile', 'rewind', 'rmdir', 'umask', 'fclose', 'feof', 'fgets', 'fread', 'fopen', 'fstat', 'fflush', 'fwrite', 'fputs', 'mkdir', 'rename', 'copy', 'tempnam', 'file', 'file_get_contents', 'file_put_contents', 'stream_context_create', 'stream_context_set_params', 'stream_filter_append', 'stream_filter_remove', 'stream_socket_enable_crypto', 'stream_get_contents', 'flock', 'stream_get_meta_data', 'stream_set_timeout', 'socket_set_timeout', 'socket_get_status', 'realpath', 'fsockopen', 'pack', 'unpack', 'opendir', 'closedir', 'chdir', 'getcwd', 'readdir', 'glob', 'filemtime', 'fileperms', 'filesize', 'file_exists', 'is_writable', 'is_readable', 'is_executable', 'is_file', 'is_dir', 'is_link', 'chmod', 'touch', 'clearstatcache', 'disk_free_space', 'mail', 'openlog', 'syslog', 'closelog', 'ob_start', 'ob_flush', 'ob_clean', 'ob_end_clean', 'ob_get_clean', 'ob_get_contents', 'ksort', 'krsort', 'asort', 'sort', 'usort', 'uasort', 'uksort', 'array_walk', 'array_walk_recursive', 'count', 'end', 'next', 'reset', 'current', 'key', 'min', 'max', 'in_array', 'array_search', 'compact', 'array_fill', 'array_fill_keys', 'range', 'array_multisort', 'array_push', 'array_pop', 'array_shift', 'array_unshift', 'array_splice', 'array_slice', 'array_merge', 'array_merge_recursive', 'array_replace_recursive', 'array_keys', 'array_values', 'array_count_values', 'array_reverse', 'array_reduce', 'array_pad', 'array_flip', 'array_change_key_case', 'array_unique', 'array_intersect', 'array_intersect_key', 'array_diff', 'array_diff_key', 'array_diff_assoc', 'array_udiff_assoc', 'array_sum', 'array_filter', 'array_map', 'array_chunk', 'array_combine', 'array_key_exists', 'version_compare', 'stream_get_filters', 'sys_get_temp_dir', 'token_get_all', 'xml_parser_create', 'xml_parse_into_struct', 'xml_get_error_code', 'xml_error_string', 'xml_get_current_byte_index', 'xml_parser_free', ]; }
So there are only the two you have mentioned, that appear (from this check list anyway) to possibly need further investigation (by us) with the other group as to why / which user adds a risk etc
__________________
Dev Store & Live Store: XC Business 5.4.1.29
Server; Ubuntu 20.04.2 LTS (HWE 5.8.0-63.71 Kernel) / Plesk Obsidian
Nginx 1.20.1 / Apache 2.4.41 (Ubuntu Backported) / MariaDB 10.5.11 / PHP 7.4.21
Reply With Quote
  #4  
Old 09-01-2017, 05:41 PM
 
Triple A Racing Triple A Racing is offline
 

X-Adept
  
Join Date: Jul 2008
Location: Manchester UK
Posts: 998
 

Default Re: PHP Settings & Secure Server for XC5

The feedback relates to server admin, but specifically when dealing with shared space and/or VPS customers etc. Allowing free, uncontrolled access to all of the PHP functions shown in our first post may give rise to vulnerability, especially exec() or shell_exec() in PHP, where it can be easy to create a symlink and thus unchecked FollowSymLinks availability can arise.... No problem for us, as we're not involved with any shared space / VPS etc but others might be.
__________________
Dev Store & Live Store: XC Business 5.4.1.29
Server; Ubuntu 20.04.2 LTS (HWE 5.8.0-63.71 Kernel) / Plesk Obsidian
Nginx 1.20.1 / Apache 2.4.41 (Ubuntu Backported) / MariaDB 10.5.11 / PHP 7.4.21
Reply With Quote
  #5  
Old 01-25-2018, 08:40 AM
  cflsystems's Avatar 
cflsystems cflsystems is offline
 

Veteran
  
Join Date: Apr 2007
Posts: 14,026
 

Default Re: PHP Settings & Secure Server for XC5

I just had this in admin on a client's site

Quote:
Disabled functions
Some functions, used by X-Cart, are found disabled. Make sure that these functions are not listed in "disable_functions" option and all php extensions required for these functions availability are enabled in the php.ini file. Please correct this and try again.

and the description for missing functions is

Quote:
The following functions are disabled:
:missedFunctions
These functions may be used by the software in some cases and should be enabled.

Latest 5.3.4.4 - so this is a bug? All ok but for some reason XC lists this error message? If not where is the list of disabled function(s) in here?
__________________
Steve Stoyanov
CFLSystems.com
Web Development
Reply With Quote
  #6  
Old 01-25-2018, 05:14 PM
 
Triple A Racing Triple A Racing is offline
 

X-Adept
  
Join Date: Jul 2008
Location: Manchester UK
Posts: 998
 

Default Re: PHP Settings & Secure Server for XC5

Never, ever seen that message ourselves. Interesting! The (lack of) information which is then provided :missedFunctions etc isn't very helpful XC?
__________________
Dev Store & Live Store: XC Business 5.4.1.29
Server; Ubuntu 20.04.2 LTS (HWE 5.8.0-63.71 Kernel) / Plesk Obsidian
Nginx 1.20.1 / Apache 2.4.41 (Ubuntu Backported) / MariaDB 10.5.11 / PHP 7.4.21
Reply With Quote
Reply
   X-Cart forums > X-Cart 5 > General questions (X-Cart 5)


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -8. The time now is 04:32 AM.

   

 
X-Cart forums © 2001-2020