Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
#1 2014-07-30 13:46:47
- redbot
- Plugin Author
- Registered: 2006-02-14
- Posts: 1,410
php_uname() has been disabled for security reasons
Hi all,
after some time away from web development I installed a fresh copy of textpattern (last version 4.5.5
) and I’m experiencing a little issue. In the “diagnostics” page this message shows up:
adminErrorHandler()
textpattern/include/txp_diag.php:537 php_uname()
textpattern/include/txp_diag.php:109 doDiagnostics()
textpattern/index.php:176 include()Everything seems to work ok for now but I fear I could experience some problems in the future.
I already asked my hosting company to enable this function but they refused “for security reasons”. Also a provider change is not an option.
Should I worry or this will only affect my diagnostics page?
Offline
Re: php_uname() has been disabled for security reasons
redbot wrote #282538:
Should I worry or this will only affect my diagnostics page?
Good to see you back redbot. It will only affect the Diagnostics page as that’s where we display your hosting OS. I’ve never heard of this function being disabled before for security reasons, but after Googling for it there are several prominent providers like Joomla, WordPress, and MediaWiki suffering on hosts who have disabled it.
From what I can tell it’s a crude, knee-jerk method to stop the r57/c99 backdoor shell from running, though it’s hardly a deterrent because there are other ways to determine features of the OS (looking in /proc for example).
We can (could?) work around this in the Diagnostics panel by just omitting that info if the function is disabled. The annoying thing is that we don’t know in advance which functions hosters will whimsically decide are a threat. Today uname, tomorrow include!
The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.
Txp Builders – finely-crafted code, design and Txp
Offline
#3 2014-07-30 14:46:12
- redbot
- Plugin Author
- Registered: 2006-02-14
- Posts: 1,410
Re: php_uname() has been disabled for security reasons
Hi Bloke!
Thank you for your answer, I feel relieved now ;)
Regarding this issue I seem to understand the function is disabled by the suhosin module.
Thanks again, I hope I’ll be hanging around here more often now.
Offline
Re: php_uname() has been disabled for security reasons
redbot wrote #282540:
the function is disabled by the suhosin module.
Ahhh, that explains a lot! I’ve had trouble on sites hosted where that beast has been installed. I understand why hosters are paranoid about security, but many of them seem to just install it with the default settings without thinking through how it affects people.
The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.
Txp Builders – finely-crafted code, design and Txp
Offline
#5 2014-07-30 15:16:51
- redbot
- Plugin Author
- Registered: 2006-02-14
- Posts: 1,410
Re: php_uname() has been disabled for security reasons
Bloke wrote #282541:
… but many of them seem to just install it with the default settings without thinking through how it affects people.
I hear you ;)
Offline