Securing your PHP installation - Printable Version +- Webnetics UK Ltd. - Forums (https://www.webneticsuk.com/forum) +-- Forum: News & Announcements (https://www.webneticsuk.com/forum/forumdisplay.php?fid=2) +--- Forum: VWDesigns Blog (https://www.webneticsuk.com/forum/forumdisplay.php?fid=12) +---- Forum: Server (https://www.webneticsuk.com/forum/forumdisplay.php?fid=18) +---- Thread: Securing your PHP installation (/showthread.php?tid=33) |
Securing your PHP installation - webnetics - 06-02-08 PHP is ideal for anyone looking to build rich, dynamic sites, but it can work against you if hackers discover a flaw in your web app. Security holes can be blocked, however, by customising your php.ini file (if you don't run the server yourself, creating the file in your site's root directory, usually public_html, will work fine). For instance, a typical exploit uses PHP to read files it shouldn't be able to access. But employ the open_basedir directive and you can restrict PHP to a particular part of the directory tree. Set "open_ basedir = /var/wwwr for example, and it's able to run scripts under the web server root directory only. The allow_url_fopen directive is another risky convenience. It lets programmers open a URL as a file, perhaps even executing the code it contains, allowing hackers to display private information or otherwise attack your server. If you don't need it it's best to turn it off: set "allow_url_fopen = Off". PHP's file upload code is a complex area where future vulnerabilities could emerge. If you don't need to upload files, turn it off: "file_uploads = Off". PHP maintains information on current users by creating a session. But this involves saving details in a file, by default the /tmp folder. Anyone with system access to that folder will be able to learn more about your set-up and maybe even hijack a session. Create a new directory only you can access and save the session data there ("session.save_path = /var/www/mysessions", for instance). Displaying errors to users is a bad idea, as error messages may contain information that's useful to hackers. Disable this with the commands "display_ errors = Off" and "display_startup_errors = Off". If there are problems with the site then turn error logging on ("log_errors = On"). The error_log command will tell PHP where to save any errors (uk3.php.net/rnanual/en/referrorfunc.phbtkini. error-loq). Better still, make it harder for hackers to find out more about the version of PHP on your server by setting "expose_php = Off". Real experts can even disable particular PHP functions through the disable_functions directive. Use "disable_functions = apache_getenv", for instance, and scripts can't be abused to find out more about your server set-up. Of course if your scripts use any of these functions, then disabling them could lead to odd behaviour. Add just one php.ini directive at a time, and test carefully to confirm everything still works. |