Forum

Thread tagged as: Problem, Error, Hosting

escapeshellcmd disabled error message

Hi,

I'm seeing error messages output to screen when a form on my site is submitted. The form data itself is sent through to Perch admin, but the thank you page isn't displayed. Instead I just see the following error.

Warning: escapeshellcmd() has been disabled for security reasons in /home/XXXXXXX/public_html/perch/core/lib/PHPMailer.class.php on line 1449

Warning: Cannot modify header information - headers already sent by (output started at /home/XXXXXXX/public_html/perch/core/lib/PHPMailer.class.php:1449) in /home/XXXXXXX/public_html/perch/core/lib/PerchUtil.class.php on line 194

I've contacted the host who confirms that escapeshellcmd has been disabled due to security reasons, specifically "...above mentioned commands are often used maliciously. We disabled these function to avoid attack to our server, to block users to execute arbitrary commands on our shared server using PHP."

I'm running Perch 2.8.34.

Can you suggest anything that I can tell them?

Many thanks in advance for your help.

Simon Kelly

Simon Kelly 0 points

  • 4 years ago
Rachel Andrew

Rachel Andrew 394 points
Perch Support

Quoting Drew in an earlier thread (from searching the forum) - https://forum.grabaperch.com/forum/08-28-2015-warning-escapeshellcmd-has-been-disabled-and-other-errors

"In this context, escapeshellcmd is being used to escape content as it's being written to an error log. We escape it because it's come from the user and so we're guarding against attacks that exploit software that later parses those logs.

This is essentially a security feature that they're disabling.

The warnings themselves aren't really a problem. Once your site is live you can turn off error display and you won't see them."

Thanks, Rachel.

I'll contact the host with info from that thread and will see what they can do.

Just a quick question: when Drew says that error display can be turned off, is he referring to a Perch setting, or the live server config?

Thanks for your help.

Drew McLellan

Drew McLellan 2638 points
Perch Support

In your PHP config - usually php.ini

Thanks, Drew. That's stopped the error messages displaying.

Do you think that having escapeshellcmd disabled on my host is a cause for concern in terms of running Perch?

Thanks again.

Drew McLellan

Drew McLellan 2638 points
Perch Support

It's not a big concern for Perch. It would make me question the host's attitude to security slightly.

Thanks, Drew. I'll bear that in mind.