Skip to main content

Securing PHP4

There are many things to take into account when it comes to trying to secure anything not only PHP or Apache or Postfix or anything else

1. You and your users still need to be able to use it
2. The server can be as secure as possible but a few lines of bad code can really screw up your morning.

There are a few things to keep in mind when configuring the php.ini file

Firstly its probably not a bad idea to chroot your apache server, there are a few very good examples on how to do this on the web Just do a search in google or something

in your php.ini file

add the following
safe_mode = On
safe_mode_gid = Off
expose_php = Off
register_globals = Off
display_errors = Off
log_errors = On
error_log = "filename"

safe_mode = On

By switching on the safe_mode, you have just made your server probably twice as secure as it was before.
Safe mode will ensure that only the owner of the file or script is able to read or execute that file or script





Here is an example
-rw-rw-r-- 1 joeuser joeuser 33 Jul 1 19:20 script.php
-rw-r--r-- 1 root root 1116 May 26 18:01 /etc/passwd

Running this script.php
readfile('/etc/passwd');
?>results in this error when safe mode is enabled:

Warning: SAFE MODE Restriction in effect. The script whose uid is 500 is not
allowed to access /etc/passwd owned by uid 0 in /docroot/script.php on line 2

OF course we will also be logging this info to a log file rather than displaying the error

safe_mode_gid = Off

This is pretty much the same as safe_mode excepts it related directly to the GID or Group ID
If for instance we use this example, you will see how this can back fire on you if its not set to off. Although in some environments gaving GID On is fine.

-rw-rw-r-- 1 joeuser joeuser 33 Jul 1 19:20 script.php
-rw-r--r-- 1 root joeuser 1116 May 26 18:01 /usr/local/etc/passwords

Running this script.php
readfile('/usr/local/etc/passwords');
?>Because the group info is the same, I can view the passwords file even though we set safe_mode = On
Without having safe_mode_gid = Off It will not restrict me directly to the UID which is what we want effectively making the file similar to 700

expose_php = Off

Turning off the "expose_php" directive causes PHP to not show information about itself in HTTP headers that are being sent to client systems in responses to their web requests.

register_globals = Off

When the register_globals parameter is turned on, all the EGPCS (Environment, GET, POST, Cookie and Server) variables are registered as global variables, This can pose a serious security threat, it is strongly recommended to turn this parameter off if you are running an older version from 4.2.0 it has been turned off by default, but you should still double check. If an application you use requires that Register Globals be On I suggest you get it rewritten fixed etc or stop using it.

display_errors = Off

This directive will not do anything magical, however if there is a problem in the code of if the backend Database is down (if there is one) you will not see the error messages on the screen this is because we don't necessarily want someone to see too much information like that user root@localhost can't log into the database and the data base is called jacks-db, Im sure you can see where I am going with this.

log_errors = On

Simply put we want to log our errors
where we log them will be defined in the next directive

error_log = "filename"
error_log = /var/log/php-errors/php.log
Or something like that its up to you


You might also want to check this out

disable_functions = phpinfo, curl_exec, curl_init, passthru, show_source, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, system

This stops PHP scripts from using these functions you might need some of them but your average web site or even web based application probably would not need these.

Comments

Popular posts from this blog

Setting up and Installing Rancid on FreeBSD for Cisco Products

Setting up and Installing Rancid on FreeBSD for Cisco Products What is Rancid? Rancid is an application that monitors a devices configuration including software and hardware. The configuration is then stored in a Concurrent Version System or CVS. Most of the time it is used to back up router, switch and firewall configurations, as well as notify you when a configuration has changed, i.e a firewall rule or a routers IP address or access list change. here is an example of the output =================================================================== retrieving revision 1.29 diff -u -4 -r1.29 mpls-jhb-pe1 @@ -288,9 +288,9 @@ ! interface Serial0/0 description Link to Client X bandwidth 2048 - ip address 192.168.1.244 255.255.255.254 + ip address 192.168.1.234 255.255.255.254 ip route-cache flow ip tcp header-compression iphc-format ip tcp compression-connections 256 ! ip ospf message-digest-key 1 md5 the - symbol represents what was removed the + symbol represents what was added The abo

Tacacs+ Install and Config Guide

Tacacs+ Install and Config Guide What is TACACS As per wikipedia Terminal access controller access control system (TACACS) is a remote authentication protocol that is used to communicate with an authentication server commonly used in UNIX networks. TACACS allows a remote access server to communicate with an authentication server in order to determine if the user has access to the network. Installing Tacacs on FreeBSD This guide is intended to be a basic implementation of TACACS+, so although there are may features I am just going to document what I generally use. Please note that tac_plus is also available from Shrubbery Networks if you would like to install and configure on another platform. You may also want to check out my Rancid How-To Once again its in your ports directory. cd to /usr/ports/net/tac_plus4/ run a "make install clean" Once installed vi /usr/local/etc/rc.d/tac_plus.sh Then Change the following line from NO to YES tac_plus_enable=$ Save the file, then vi /e

Setting up a Cisco 800 series Router for ADSL

Setting up a Cisco 800 series Router for ADSL Not that the Average user would use a Cisco ADSL router, or if they do use a Cisco product it would probably be a Linksys router. Anyway here is the config with comments in between. all comments are in italics You might want to check out the Cisco DYNDNS configuration guide too NOTE: This particular config was done on a Cisco 877 ADSL / DSL router however its known to work on the Cisco 800 series DSL routers in general including the Cisco 827 Cisco 837 Cisco 877W This example is a basic setup for just access to the web you can enable PAT or Port Address Translation on the router to allow access from the outside to a server or something like that. Also this setup is for a Dynamic IP from the ISP you might also want to checko out the how to on setting up SSH login on the router no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname # your router name i.e. Bobs Router ! boot-st