Author Topic: [SOLVED] SecurityImages and PHP 'disable_functions'  (Read 2750 times)

voice_of_reason

  • Beginner
  • *
  • Posts: 10
[SOLVED] SecurityImages and PHP 'disable_functions'
« on: April 08, 2010, 11:19:39 am »
I've set my 'php.ini' file as advised by the Joomla Security Checklist with the following line:

disable_functions = show_source, system, shell_exec, passthru, exec, popen, proc_open, phpinfo

However, this breaks SecurityImages in all the places I'm using it in VirtueMart - all the Captcha images appear as broken links. If I remove the above line from my 'php.ini' SecurityImages starts working again.

Does anyone know which 'disable_function' is causing this, and if I remove it from my 'php.ini', am I compromosing the security of my site?

I'm using SecurityImages 5.1.2, Joomla 1.5.14 and VirtueMart 1.1.4.

Thanks very much!

Svetlio

  • Jr. Member
  • **
  • Posts: 141
Re: SecurityImages and PHP 'disable_functions'
« Reply #1 on: April 08, 2010, 16:59:36 pm »
I have performed some tests at my end with SecurityImages 5.1.2, Joomla 1.5.15 and VirtueMart 1.1.4.

Once I removed the phpinfo function from the list of the disabled ones the Security images load normally.

The phpinfo function outputs information regarding your PHP configuration.

You can find more details at:

http://php.net/manual/en/function.phpinfo.php

I think that it will be safe to remove it from the disable_functions list.

Then clear the cache of your browser and verify the security images functionality.
SiteGround Technical Support Team Member. Check out our special VirtueMart hosting package

voice_of_reason

  • Beginner
  • *
  • Posts: 10
[SOLVED] SecurityImages and PHP 'disable_functions'
« Reply #2 on: April 08, 2010, 23:13:09 pm »
Thanks for that. You were right, it was 'phpinfo' that was causing the problem. I found the code that's using it. It's the 'hncaptcha' plugin - it uses 'phpinfo' to figure out your server's GD library version.

Just to be on the safe side, I still wanted to keep 'phpinfo' disabled, so I modified the hncaptcha code to simply return my GD version (after temporarily enabling 'phpinfo' to find out what my GD version was) instead of calling 'phpinfo' to figure it out. I checked the code and it only seems to check that the version is greater than '2', so as long as my host only ever upgrades GD, and never downgrades it (can't think why they would?), I should be safe!

I modified 'function get_gd_version()' at the following location:

\components\com_securityimages\plugins\hncaptcha\1.0\hn_captcha.php

... and commented out the whole 'if' statement. Instead, I inserted...

'$gd_version_number = insert_your_gd_version_number_here;'

...just before the last line that returns the variable's value. SecurityImages now works and you can safely leave 'phpinfo' disabled.

Hope this helps someone!