1

Possible Duplicate:
Exploitable PHP functions

My question is about disable_functions. May I ask for a list of functions that are vulnerable for online users when they are using online PHP editor. Like http://writecodeonline.com/php/ this editor blocks many functions. I have found few of them that are

disable_functions = “apache_child_terminate, apache_setenv, define_syslog_variables, escapeshellarg, escapeshellcmd, eval, exec, dl, fsocket, pfsockopen, fsockopen, fp, fput, ftp_connect, ftp_exec, ftp_get, ftp_login, ftp_nb_fput, ftp_put, ftp_raw, ftp_rawlist, highlight_file, ini_alter, ini_get_all, ini_restore, inject_code, mysql_pconnect, openlog, phpinfo, passthru, php_uname, phpAds_remoteInfo, phpAds_XmlRpc, phpAds_xmlrpcDecode, phpAds_xmlrpcEncode, popen, posix_getpwuid, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, posix_setuid, posix_uname, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, syslog, system, system,proc_open, symlink, xmlrpc_entity_decode, popen, curl_exec, curl_multi_exec, parse_ini_file, show_source”

Thanks to http://www.jonboy60.com/2010/05/04/disable_function-on-php-ini/

Andrew Brēza
  • 7,705
  • 3
  • 34
  • 40
Adnan
  • 1,379
  • 2
  • 17
  • 24
  • 2
    If you need to ask please don't attempt it. We have had too much fun with all the vulnerable codepads recently ;-) – PeeHaa Nov 03 '12 at 12:56
  • 2
    You should search before asking. http://stackoverflow.com/questions/3115559/exploitable-php-functions – Robik Nov 03 '12 at 12:59

1 Answers1

2

I do not have a definitive list - but any function that uses

  • Network
  • Disk
  • Interfers with Apache (or other web browser)
  • Guess probably anything to do with databases

probably are blocked by code pads. I would also imagine that there are very tight upper limits on memory usage.

Just use these sites for minimal stuff just to demonstrate a problem to other folks (such as people on this site).

Ed Heal
  • 59,252
  • 17
  • 87
  • 127