I believe we only use shell_exec for DNS lookups. If you disable hostname lookups, you should be okay disabling that function as well. Of course, I haven't studied the code all that closely lately, so there might be something else using it as well.
You're right. I just checked. Only 3 uses of it, all in one function, host_from_ip($ip).
Revised php.ini line. I tested a variation of this. Browsing through forum pages and in the Admin area produced no errors:
disable_functions = exec,shell_exec,passthru,system,show_source,proc_open,popen,parse_ini_file,dl,
curl_errno,curl_error,curl_exec,curl_init,curl_multi_add_handle,curl_multi_exec,curl_multi_init,
curl_multi_select,curl_setopt_array,curl_setopt
I think I've seen an injection attack script that used ftp to retrieve the remote shell script, so the whole slew of ftp_ commands could be added to the list, too. However, ftp_ functions are used extensively by SMF's install.php and the Package Manager, so you'd have to remember to enable them before using those functions.
Basically, you just have to keep attackers out so they can't get to the "import a remote file" stage of the attack. The
first "import a remote script" is often done by injection of a URL in a query string, so allow_url_fopen = Off will usually prevent them from getting to the second stage. Also blocking libwww-perl in .htaccess will help, as it is the most common User-Agent used (actually the only one I've seen used so far).
Once they're in, allow_url_fopen = Off won't prevent them from using the ftp_ functions. (I realized that just now: the Package Manager upgrade from 1.1.3 to 1.1.4 a couple days ago was successful even though allow_url_fopen was Off in php.ini.)
Useful security-related php.ini settings:
register_globals = Off
allow_url_fopen = Off
disable_functions = (as above)
display_errors = Off
display_startup_errors = Off
error_log = /home/{user}/{path}/{filename}
error_reporting = E_ALL
expose_php = Off
log_errors = On