[Solved] Disable Pcntl_Exec()

MrAlicard · August 3, 2017

Hello

I use ipb and when I click to Security in admincp then there is two warnings.

First

Disable Dangerous PHP Functions

We recommend disabling the following functions on your server. If you do not manage your server yourself, your hosting provider will be able to assist with this.

pcntl_exec

__________________________________________________________________________________________________________________________________

Second

Disable Public Display of PHP Errors

Your server is currently set up to display errors on the page. This is not advised in production and only logging to file should be enabled. Your hosting provider will be able to assist with this.

_____________________________________________

I tried disable display errors in .htaccess with this php_flag display_errors off but I got error. (error code 500).

Edited August 3, 2017 by MrAlicard

wolstech · August 3, 2017

First off, do you have/can you prove you have a license for IPB? (We don't allow nulled software.)

As for your concerns...

Pcntl_exec is a security risk based on what I've read since it's basically just exec() that reuses process space. This one does need to go since exec is already disabled.

We intentionally enabled the display_errors because we get too many complaints about 500 errors with them off. I and many others prefer them on, and 90% of other hosts also have them on by default. People expect the errors to appear if their script is broken. A regular 500 error doesn't tell you anything useful.

Escalating to disable pcntl_exec()...

MrAlicard · August 3, 2017

I contacted the ipb support that if I don't disable display error then something will happen and they wrote that display_errors only medium security level and only shows errors on website. It's not big problem if I have only a forum with some people BUT this pcntl thing must disable otherwise there is high security risk as you mentioned. Thank you for answer.