Will my webhost kill oscommerce with this?

[SamyT]

Today I received the following email from my host about changes to PHP - Can someone read this and confirm whether these changes will affect an installation of oscommerce or not?

 

On Monday, October 10th we will be making a change to the way PHP runs in your VPS account to enhance your security. PHP contains several functions that allow you to execute system commands from within your PHP code. When a computer cracker locates a vulnerability in a PHP script, they will generally use these functions to gain access to your account. Even if the script itself does not use these functions, the vulnerability will allow the cracker to supply code to be ran in your account. Because new vulnerabilities will continue to be found and exploited in popular software, we are taking a more proactive approach toward ensuring your account remains secure.

 

To enhance your security we will be disabling the PHP functions "proc_open", "system", "cmd", "shell_exec", and "passthru" in your php.ini file (using `backticks` to execute a command is an alias for the function shell_exec). This will make it extremely difficult for a cracker to exploit PHP script vulnerabilities to execute their malicious code. We have already taken steps to ensure that any Site Applications we provide you with will continue to function normally. The majority of applications written in PHP do not use these functions and will not lose any functionality when this happens. However, we realize that some of you do need these functions, so we would like to make it simple to opt out of having any of these functions disabled. You can find more information on these functions (how to know if you are using them, how to enable them in the future if needed, etc) at http://helpdocs.westserver.net/php-security-information.html.

 

To opt out, please place a file in the "/etc" directory of your account called "phpoptout.txt" (all lower case). It should contain the list of the functions you would like to have left enabled. Please list them all on one line, seperated by a comma and a space. For example, if you need to have the "proc_open" and "passthru" functions left enabled you would create the file "/etc/phpoutout.txt" and it would contain the text: "proc_open, passthru". An easy way to do this is to use your online File Manager at http://www.yourdomain.com/fm/. If you run into any problems doing this please contact our technical support (http://members.westhost.com/contactus.html) for assistance.

 

We are making this change with both of our best interests in mind. Having your account compromised is a frustrating (and sometimes expensive) problem that results in a lot of unproductive use of time for everyone involved. We want to keep this type of malicious, illegal behavior off of our servers and out of your account.

[WiseWombat]

Today I received the following email from my host about changes to PHP - Can someone read this and confirm whether these changes will affect an installation of oscommerce or not?

Yes as soon as possible as php 4.3.11 had a major security flaw an upgrade is highly advisable to the latest release.

[MarcoZorro]

No the upgrade shouldnt affect anything important in oscommerce.. maybe the server info page but that should be about it.

[SamyT]

Um.. I'm confused, you quoted part of what I asked and didn't seem to answer what I asked - what do you mean by "Yes as soon as possible as php 4.3.11 had a major security flaw an upgrade is highly advisable to the latest release."

[MarcoZorro]

Yes as soon as possible as php 4.3.11 had a major security flaw an upgrade is highly advisable to the latest release.

 

I cant see anything relating to a security flaw in PHP 4.3.11.

 

The only major issue fixed in PHP 4.4.0 is a memory reference bug but this isnt a security flaw more a problem that can happen in very rare cases and has also existed for about 7 releases of PHP prior to 4.3.11 so isnt critical in my opinion.

[SamyT]

Ok, i'm not actually asking about upgrading though, I am asking about my webhost plans to change and whether that will stop oscommerce from functioning at this busy time of year.

 

We can't really afford downtime that I don't know how to fix.

[kgt]

We cannot know for sure what code you are using. I don't know that there are any contributions that make system calls, but an easy way for you to make sure is to do a search through your code for the functions they are disabling. It is HIGHLY unlikely you've got OSC-related code that is using any of them, so don't expect to find any instances.

[WiseWombat]

Ok, i'm not actually asking about upgrading though, I am asking about my webhost plans to change and whether that will stop oscommerce from functioning at this busy time of year.

 

We can't really afford downtime that I don't know how to fix.

Its about a 10 minute fix to upgrade.

I cant see why you should have a problem If your host knows what there doing.

I dont wright php so I cant tell you what the full impact of the upgrade will do But I can tell you that I have upgraded without a problem?

And the site still seems to function fine.

[SamyT]

I didnt read it as they were upgrading tho, I don't understand where this upgrade talk is coming from? It seems to me they're changing the way things function, not changing to a newer version.

[MarcoZorro]

I didnt read it as they were upgrading tho, I don't understand where this upgrade talk is coming from? It seems to me they're changing the way things function, not changing to a newer version.

 

From your orignal message they are simply disabling some functions of php that can be used to exploit servers if missused.

 

As long as your not using any system calls.. and if you are then you should really change them if not needed then this change wont affect you.

 

There is also no need to look at upgrading PHP to 4.4.0.. there are no securtity flaws reported for 4.3.11 and there is a compatability break in 4.4.0 that can catch the unsuspecting developer out.