Forum
Warning: escapeshellcmd() has been disabled and other errors
Dear Support
I recently moved my server to a version with php 5.4 on so I could test out perch shop, which Im getting along with really well. There is just one problem that happens ONLY if I put in the wrong password when accessing /perch and logging in. Please bear in mind it works fine if I log in correctly so doesnt stop me playing, but looks nasty if I dont !
The error on the screen is as follows :
Warning: escapeshellcmd() has been disabled for security reasons in /home/redcellc/public_html/perch/core/lib/PerchAuthenticatedUser.class.php on line 108
Warning: syslog() has been disabled for security reasons in /home/redcellc/public_html/perch/core/lib/PerchAuthenticatedUser.class.php on line 109
Warning: Cannot modify header information - headers already sent by (output started at /home/redcellc/public_html/perch/core/lib/PerchAuthenticatedUser.class.php:108) in /home/redcellc/public_html/perch/core/inc/auth.php on line 28
Warning: Cannot modify header information - headers already sent by (output started at /home/redcellc/public_html/perch/core/lib/PerchAuthenticatedUser.class.php:108) in /home/redcellc/public_html/perch/core/inc/auth.php on line 47
Warning: Cannot modify header information - headers already sent by (output started at /home/redcellc/public_html/perch/core/lib/PerchAuthenticatedUser.class.php:108) in /home/redcellc/public_html/perch/core/lib/PerchUtil.class.php on line 1168
Warning: Cannot modify header information - headers already sent by (output started at /home/redcellc/public_html/perch/core/lib/PerchAuthenticatedUser.class.php:108) in /home/redcellc/public_html/perch/core/lib/PerchUtil.class.php on line 1169
Warning: Cannot modify header information - headers already sent by (output started at /home/redcellc/public_html/perch/core/lib/PerchAuthenticatedUser.class.php:108) in /home/redcellc/public_html/perch/core/lib/PerchUtil.class.php on line 1170
Warning: Cannot modify header information - headers already sent by (output started at /home/redcellc/public_html/perch/core/lib/PerchAuthenticatedUser.class.php:108) in /home/redcellc/public_html/perch/core/lib/PerchUtil.class.php on line 1176
Warning: Cannot modify header information - headers already sent by (output started at /home/redcellc/public_html/perch/core/lib/PerchAuthenticatedUser.class.php:108) in /home/redcellc/public_html/perch/core/inc/top.php on line 17
Now I spoke to my hosts and they tell me as it is a shared server they cant adjust the settings that I seem to need adjusting as it would be 'a security risk', this is from them not me. So what do I do? please dont say move hosts as I have a lot on the servers !
Rich
What security risk are they saying this presents? Specifically.
They simply Said on shared accounts they wouldnt open it because of security risks Im afraid, so unless anyone knows decent priced reseller hosts that will Im stuffed :(
unless anyone got a statement that tells them they are being stupid ofc
Anyone who declares vague security risks without any information as to what these are sounds to be someone who doesn't know what they are talking about.
From a host it generally means "we don't know what we are doing". They have disabled a core feature of PHP and won't tell you why.
The function which you do require seems require the ssh access that is related with the ssh connection with the server. And we do not allow the ssh connection with the same server hence it is not possible to enable the same fucntion on the same server.
So they are asking if you need shell access as these functions are related to it, and if so , why do you need it ?
In this context,
escapeshellcmdis being used to escape content as it's being written to an error log. We escape it because it's come from the user and so we're guarding against attacks that exploit software that later parses those logs.This is essentially a security feature that they're disabling.
The warnings themselves aren't really a problem. Once your site is live you can turn off error display and you won't see them.
I am told :
escapeshellcmd() should be used on the whole command string, and it still allows the attacker to pass arbitrary number of arguments. For escaping a single argument escapeshellarg() should be used instead.
I have raised a complaint ticket with them, but I get the feeling I will not get anywhere.
good news is, with your help and advise, they have enabled the options on the domain, at last :)