PHP is a server-side (web) scripting language to produce dynamic web pages, HTML per se is a static language.
php.ini is PHP's default configuration file usually located at /etc/php.ini on most of the Linux distributions. If you install PHP from source /etc/php.ini file path can be modified as part of compilation
./configure
--with-config-file-path=/path/to/php.ini
php.ini has many PHP directives which can be used to secure web applications.
******************Configuration Start************************
;root of the PHP pages
doc_root = "/var/www/html:/etc/scripts/"
;directory under which PHP opens the script
user_dir = /etc/scriptsinclude_path =
;path to web root
;caution, include all directories which you use open_basedir = /var/www/html
save_path =
;disable global variables
register_globals = Offtrack_errors = yes
display_errors = Off
;will hide PHP version information
expose_php = Off
;remove few functions based on your requirement
disable_functions = php_uname, getmyuid, getmypid, passthru, leak, listen, diskfreespace, tmpfile, link, ignore_user_abord, shell_exec, dl, set_time_limit, exec, system, highlight_file, source, show_source, fpaththru, virtual, posix_ctermid, posix_getcwd, posix_getegid, posix_geteuid, posix_getgid, posix_getgrgid, posix_getgrnam, posix_getgroups, posix_getlogin, posix_getpgid, posix_getpgrp, posix_getpid, posix, _getppid, posix_getpwnam, posix_getpwuid, posix_getrlimit, posix_getsid, posix_getuid, posix_isatty, posix_kill, posix_mkfifo, posix_setegid, posix_seteuid, posix_setgid, posix_setpgid, posix_setsid, posix_setuid, posix_times, posix_ttyname, posix_uname, proc_open, proc_close, proc_get_status, proc_nice, proc_terminate, phpinfodisable_classes =
safe_mode = Off
use_trans_sid =
allow_url_fopen = Off
allow_url_include = Off
group_id = 100
magic_quotes_gpc = Off
;disable if files are not uploaded to Web server
file_uploads = On
upload_max_filesize =
;memory_limit is set to a very high value
;recommended value is 8M
memory_limit=128M
;set to a high value, server may lead to DoS
;recommended value is 2M
post_max_size = 8Mupload_tmp_dir =
user_id = 100
force_redirect = 1
cgi.force_redirect = 1
auto_prepend_file =
auto_append_file =
;Disable Remote File Includes
allow_url_fopen = Offallow_url_include = Off
;session.cookie_httponly = 1
;session.referer_check = your_url.tld
;session.cookie_secure = 1
******************Configuration End************************
HTTP Response Headers for Mitigating Web Hacks is inline with current blog post, might be useful to some of you.
To test php.ini configuration for security issues download PHPSecInfo, security auditing tool.
http://phpsec.org/projects/phpsecinfo/phpsecinfo.zip
Uncompress the archive to web server's root directory (say, /var/www/html) and access the URL as given below
https://testserver.com/phpsecinfo/phpsecinfo-20070406/index.php
NOTE: If php.ini is not used PHPSECINFO will try to read values from default configuration or httpd.conf/ lighttpd.conf
Below is an example snapshot giving notice on probable improper configuration.
Below snapshot gives warning on insecure configuration.
Snapshot showing "Tests not run" and Results Summary page.
To view Web server configuration and PHP configuration, write piece of code with phpinfo() API (application programming interface) and host on webservers root directory.
*********praveend.php************
root@praveend:~# cat praveend.php
<?
phpinfo();
?>
root@praveend:~#
*********praveend.php************
Access praveend.php as shown in below snapshot.
Below links might be useful for securing Web Servers running PHP scripts.
http://php.net/manual/en/index.php
http://www.madirish.net/node/229
http://phpsec.org/projects/guide/
No comments:
Post a Comment