Skip to content Skip to navigation

8 essential checks on securing PHP

December 08, 2012
8 essential checks on securing PHP

Obviously, PHP+ MySQL + Apache is a popular web technology.Its components are powerful, versatile and Free. However, the default settings ship with PHP is not suitable for production sites. Here, it is a check list of settings that are intended to harden the default PHP installation.

1)Disable Remote URLs for File Handling Functions

File handling function like fopen, contents which accepts URLs as file parameters (for example: fopen('http://www.yoursite.info','r')).These function facilitate the ease of development on accessing remote resources; however, it poses a significant security thread . If the filename is taken from user input and without proper sanitization, this is highly vulnerable. To disable this and limit file function to local system, apply the following setting in php.ini:

allow_url_fopen = Off

Disable this, there are still alternative way to access network resources by using fsockopen or CURL function.

 

2)Disable Register Global

Prior to version 4.2.0, PHP used to provide input values as global variables. This feature was named register_globals, and it was responsible for many security issues in web applications because it allowed attackers to freely manipulate global variables in many situations. Fortunately it's disabled by default from PHP 4.2.0 and on, because it's dangerous on so many scales. Do not enable it no matter what. If some script requires it then the script is most likely insecure. If a developer requests it to be enabled, then they are very likely to be incompetent. Don't listen to them and keep it off!

register_globals = Off

 

3)Restricting What PHP can Read & Write

In many web development, PHP scripts may I/O access to certain sub-directory in the filesystem, such as:/var/www/htdocs/files. To enhance the security, you can limit what fopen and other file access function can read and write by using the following directive:

open_basedir = /var/www/htdocs/files

 

4)Posing Limit

Limiting on PHP's execution time, memory usage,POST and upload data are always a security best practice. To do this, apply the following setting in PHP.ini:

max_execution_time = 30  ; Max script execution time

max_input_time = 60      ; Max time spent parsing input

memory_limit = 16M       ; Max memory used by one script

upload_max_filesize = 2M ; Max upload file size

post_max_size = 8M       ; Max post size

 

5)Disable Error Message and enable Logging

By default, PHP prints error messages to the browser's output. This is desirable setting during development process, however it may reveal security a lot of security information to users, like installation paths or username. In production, it is highly recommend to disable the error message and send error messages to a log file instead:

display_errors = Off

log_errors = On

 

6)Hiding The Presence Of PHP

PHP reveals its presence on the server in a variety of ways: It may send an HTTP header (X-Powered-By: PHP), or append its name and version to Apache's signature. In addition, there are easter egg URLs that return the PHP logo, one of them is: http://www.example.com/script.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000



Obviously there is no reason to let end users know about the server's PHP version. Luckily, there is a switch in php.ini that will disable all of the above:

expose_php = Off

 

7)Advanced Safe Mode setting

By default, PHP come with safe mode setting. In this mode, access to files not owned by Apache is disabled, and access to environment variables and execution of binary programs are also disabled. The biggest problem with safe mode is that only files owned by Apache are accessible to PHP scripts. This is often impractical when many developers are working on the same project, or when you want PHP to read a file without changing its ownership. Another affected situation is when you want PHP to read files generated by other programs. To work around this, there is a setting that checks for file group instead of owner:

safe_mode = Off safe_mode_gid = On

By enable safe_mode_gid, PHP will be open file that belong to Apache's group regardless of the owners.

Other than that, Safe Mode is useful in stopping PHP from executing binaries. However, in some situation, you may need to let it run in specific programs.In this case place these binaries (or symbolic links to them) in a directory (/var/www/binaries for instance) and use the following option:

safe_mode_exec_dir = /var/www/binaries

Finally, to allow access to certain environment variables, use the following setting, providing a comma-separated list of prefixes. Only environment variables which names begin with one of the prefixes will be accessible:

safe_mode_allowed_env_vars = PHP_

 

8)Limit Certain File Name Pattern accessible by public user

Due to security reason, there are many file extensions should not be accessible by end user. For example, .inc, it may contain a lot of sensitive data like MySQL username and password. Without proper configuration, anyone can view the source code by requesting the file itself: http://www.yourdomain.info/includes/settings.inc. To enhance the security, you can apply the following setting in .htaccess file or in Apache configuration. Adding more file extensions should be trivial to those familiar with regular expressions.

<filesmatch>

  Order allow,deny

  Deny from all

</filesmatch>

 

To Conclude

The default PHP configuration is intended for development purpose. As security is a raising concern, it is advisable to re-configure PHP before going into production phase.

Taxonomy: