[BlueOnyx:22456] Re: escapeshellcmd disabled by default - wordpress contact form 7

[Michael Stauber]

Hi Jochen,

Sorry, I just noticed that my reply to you never made it to the list, so
I'm sending it again:

> * escapeshellcmd is being disabled in blue onyx by default 
> - Why did you decide to disable escapeshellcmd by default?

PHP can run Linux shell commands on your server with the privileges of
the UID/GID of the owner of the PHP script(s).

Malicious scripts often abuse this and for that reason we (by default)
disable some of the commonly abused PHP commands that are used in
typical exploit scenarios:

The following can execute commands:

system
passthru
shell_exec
popen

The following can maliciously modify running processes:

proc_open
proc_nice

This one can be used to modify safety and runtime settings of the PHP
instance and can override restrictions that we had set as a security
precaution:

ini_restore

Out of the whole batch this one certainly is the most harmless:

escapeshellcmd

While it doesn't do anything malicious by itself, it's often used in
attack scenarios as a preparator to form a path or file name.

Our defaults are suggestions and you can of course override them if you
like.

> - Is the only way of resolving my issue to enable escapeshellcmd?

Yes. Go to "Server Management" / "Security" / "PHP" and remove
"escapeshellcmd" from the list under "Disable functions" and save the
changes.

After that "escapeshellcmd" will be available for all Vsites that use PHP.

-- 

With best regards

Michael Stauber