Disable_functions PHP

Hey all,

Just a quick question regarding disabling PHP functions;

  • What PHP functions need to be disabled for security measures?

If anyone is familiar with RunCloud, when you install a web application (such as Mautic), it is created in a container on the VPS which gives you easy access to add/remove functions etc.

When a new container is created, a set of default rules are applied - ‘disable_functions ()’ - and I’m aware that Mautic needs a lot of PHP functions to work correctly, so I’m looking to apply the minimum amount of disabled rules without hindering functionality.

If anyone knows of just the essential PHP functions which need to be disabled for secuirty purposes then that would be amazing!

Hope you’re well, many thanks!

I doubt you’re going to get the answer you want as most people using Mautic are not aware of this. Your best bet is to disable various functions until Mautic breaks and then you’ll find the minimum necessary PHP functions to run.

Are you sure disabling functions is the right approach?

This is a really risky procedure as on each update you risk breaking something.
Mautic is a really complex application and is built on top Symfony framework.

Blocking PHP functions doesn’t have much sense: the problem is that if an attacker is able to run PHP code on the machine, the problem is not the ability to run these function but is the fact that your server is bugged.

Anyway, as told, Mautic is on top of Symfony and the frameworks takes care of sanitizing the user’s inputs.

So, the only way an attacker has to run PHP code on your machine is through a bug in your configuration. As told, in such a case I think blocking the execution of some PHP functions is not so useful: the problem, in such cases is really bigger than the simple PHP functions.

1 Like