PHP disable_functions Executable Handling

OWASP 2013-A5 OWASP 2017-A6 OWASP 2021-A5 WASC-13

The disable_function is used to stop certain PHP functions from executing. There are some PHP functions if gained access to an attacker can do kernel level changes to the server and can make catastrophic effects on the web application. There are many servers that don’t use “disable_function” on PHP. The disable_function allows the server to disable certain functions to upscale the security of the server. PHP has a lot of functions which can be used to crack an application’s server if they are not used properly. The “disable_functions” is not affected by Safe Mode. The disbale_function can be set up in the php.ini file and make sure to use disable_function properly.


The below code is an example of disable_function.

        disable_functions = "exec, system"



Using this vulnerability, an attacker can:-

  • manipulate sensitive information
  • leak sensitive information
  • gain administrator access to the web application

Mitigation / Precaution

The vulnerability can be fixed by:-

  • Implement disable_function.
  • Disable all vulnerable functions.
  • At least disable exec(), shell_exec() and system(). (If using WordPress).
        disable_functions =exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source


Latest Articles