Securing PHP

by Mike on May 22, 2009 · 2 comments

in Web Server

Security Considerations for PHP
PHP is the most popular scripting language used on the Internet and is a necessary component to many of the blogs and content management systems today.  One of the important steps in securing your website is to disable those insecure options that are possible on PHP.  These parameters can be found in your /etc/php.ini file.  Now before you go crazy with modifying all of your settings do two things:  make a copy of your /etc/php.ini and read the configuration requirements for any PHP programs you are using.  Of course it makes sense to backup the php.ini as you may make adjustments that break things and you need to return to previous settings.  Unfortunately, many PHP programs use insecure settings, so if you need to use those programs you certainly cannot secure them…be prepared for the consequences.  These settings are a place to start.  Once you make the changes be sure to restart Apache and verify closely that all will work correctly.  You will be able to locate each of these settings in the /etc/php.ini.

This option changes request parameters into PHP global parameters.

register_globals = Off

This will allow programmers to treat URLs as files.

allow_url_fopen = Off

Because PHP can load modules from a script it could allow an attacker to load a malicious script and control your web server.

enable_dl = Off

This option will enable code to be put into the browser to find information about your PHP installation.

expose_PHP = Off

Enter this line in your web server and you will suddenly see information that could be available to an attacker.



disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open

The first line disables URL-aware fopen wrappers that enable accessing URL object like files. The second one disables a lot of PHP functions:

* shows_source — an alias of highlight_file() which provides syntax highlighting for files;
* system — allows execution of external programs;
* shell_exec — allow execution of commands via a shell;
* exec — allow execution of commands;
* passthru — similar to the exec() function, allows execution of commands;
* phpinfo — outputs PHP information that could be used by potential intruders;
* popen — opens a pipe to a process being executed by a certain command;
* proc_open — similar to popen() but provides better control over command execution.

This may cause you some problems so you need to test …and have others test so that you are sure you can secure these options.

Previous post:

Next post: