Enhance PHP's security _php base by configuring server-side Features

Author: San < xuzhikun@nsfocus.com >
Home: http://www.nsfocus.com
Date: 2001-11-15

Front like Shaun Clowes and RFP and so on are more detailed introduction of PHP, CGI program in the programming process encountered problems, and how to use the Application vulnerability Breakthrough System, this article we have some of PHP server-side features to configure to enhance PHP security. When writing CGI scripts, we do pay attention to various security issues, the user input for strict filtration, but often in the shore to go where there is not wet shoes, eat sesame seeds where there is no horse, people have lost shoes, even the famous Phpnuke, phpMyAdmin and other procedures have been very serious problems, Not to mention the script that I've been writing for little punks. So now let's assume that the PHP script has serious problems, such as the big problem of uploading PHP scripts like the previous Phpnuke, and how we can make the script appear so problematic through the configuration of the server that it doesn't break the system.

1, compile time to pay attention to the known vulnerabilities

Starting with 4.0.5, PHP's Mail function added the fifth parameter, but it didn't filter properly, allowing the PHP application to break through the safe_mode limit and execute the command. So when using 4.0.5 and 4.0.6, we need to modify the PHP source package before compiling.
EXT/STANDARD/MAIL.C file, prohibit the mail function from the fifth parameter or filter the shell character. In MAIL.C
The 152th line of the file, which is the following line:
if (extra_cmd!= NULL) {
followed by extra_cmd=null; or extra_cmd = Php_escape_shell_cmd (extra_cmd);
And then compile PHP, so we patched up the vulnerability.

2, modify the php.ini configuration file

The PHP release version of the Php.ini-dist as the blueprint for the revision.
1) Error Handling and logging
Some settings can be made in the error handling and logging sections. First find:
Display_errors = On
PHP defaults to open error message display, we change it to:
Display_errors = Off

When the error display is turned off, the PHP function does not display the wrong information to the user, so that it can be
To a certain extent, to prevent attackers from knowing the physical location of the script from the error message, as well as some other useful information, at least to the attacker's black box detection caused some obstacles. These error messages may be useful to us and can be written to the specified file, then modify the following:
Log_errors = Off
To
Log_errors = On

and the specified file, locate the following line:
; error_log = filename
Remove the previous note, change the filename to the specified file, such as
/usr/local/apache/logs/php_error.log

Error_log =/usr/local/apache/logs/php_error.log
So all the mistakes will be written in the Php_error.log file.

2) Safe Mode

PHP's Safe_mode functionality is limited or disabled for many functions, and can be largely resolved by PHP's
Security issues. Find in the Safe Mode section:
Safe_mode = Off
To
Safe_mode = On

This turns on the Safe_mode feature. Like some functions that can perform system commands shell_exec () and "are prohibited, some other executive functions such as exec (), System (), PassThru (), Popen () will be restricted to execute only the Safe_mode_exec_dir specified directory Program. If you are really going to execute some commands or procedures, find the following:
Safe_mode_exec_dir =
Specifies the path of the program to be executed, such as:
Safe_mode_exec_dir =/usr/local/php/exec

Then copy the program you want to use into the/usr/local/php/exec directory, so that, like the upper limit
Function can also execute the program in the directory.

For more information about restricted functions in safe mode, see the instructions for the main PHP site:
http://www.php.net/manual/en/features.safe-mode.php

3) Disable_functions

If you are not very clear about the harmfulness of some functions, and do not use them, simply ban these functions
Stop it. Find the following line:
Disable_functions =
After "=" plus the function to be banned, multiple functions are separated by ",".

3. Modify Httpd.conf

If you only allow your PHP script program to operate in a Web directory, you can also modify the httpd.conf file to restrict the PHP operation path. For example your web directory is/usr/local/apache/htdocs, then in
In httpd.conf, add a few lines:

<Directory/usr/local/apache/htdocs>
Php_admin_value Open_basedir/usr/local/apache/htdocs
</Directory>

This way, if the script is to read files other than/usr/local/apache/htdocs will not be allowed,
If the error appears open

You will be prompted for this error:
Warning:open_basedir restriction in effect. The File is in wrong directory in
/usr/local/apache/htdocs/open.php on line 4
Wait a minute.

4, the PHP code to compile

Zend has a great contribution to PHP, PHP4 's engine is Zend, and it has developed zendoptimizer
and Zendencode and many other PHP-enhanced components. The optimizer Zendoptimizer just
Http://www.zend.com registration is available for free, and the following are used for 4.0.5 and 4.0.6.
Zendoptimizer, file names for each of the respective systems:

Zendoptimizer-1[1].1.0-php_4.0.5-freebsd4.0-i386.tar.gz
Zendoptimizer-1[1].1.0-php_4.0.5-linux_glibc21-i386.tar.gz
Zendoptimizer-1[1].1.0-php_4.0.5-solaris-sparc.tar.gz
Zendoptimizer-1[1].1.0-php_4.0.5-windows-i386.zip


The optimizer's installation is very convenient, the package contains a detailed description. Take the UNIX version for example, see the drill
As a system, unzip the zendoptimizer.so file in the package to a directory, assuming that the/usr/local/lib
, add two sentences to the php.ini:
Zend_optimizer.optimization_level=15
zend_extension= "/usr/local/lib/zendoptimizer.so"

It's OK. With Phpinfo () see the following text on the left side of the Zend icon:
With Zend Optimizer v1.1.0, Copyright (c) 1998-2000, by Zend Technologies

Then the optimizer has been hooked up successfully.
But the compiler zendencode is not free, here to provide you with a
Http://www.PHPease.com's Ma Yong design of the compiler shell, if used for commercial purposes, please contact
Http://www.zend.com Contact to obtain the license agreement.

After the PHP script compiles, the script execution speed increases many, the script file can see only a bunch of garbled, this will
Prevents attackers from further analyzing the script on the server, and originally stored in plaintext in PHP scripts
Passwords are also kept secret, such as the password for MySQL. But it's more cumbersome to change the script on the server side.
It is better to change the local and upload it.


5, File and directory permission settings

In addition to uploading directories in the Web directory, the permissions of other directories and files must not allow nobody users to write
Permissions. Otherwise, the attacker can modify the master file, so the permissions for the Web directory must be set.
。 Also, the owner of the PHP script must not be root, because the function of the Safe_mode read file is limited
The owner of the read file must be the same as the owner of the current script to be read, otherwise if
Error display opens with errors such as the following:

Warning:safe MODE restriction in effect. The script whose UID is
Allowed to access/etc/passwd owned by UID 0 in/usr/local/apache/htdocs/open.php
On line 3
This way we can prevent many system files from being read, such as:/etc/passwd.

Upload directory and upload script owners also want to set the same, otherwise there will be errors, under the Safe_mode
These should be noted.

6, the MySQL Start permission setting


MySQL should note that do not use root to start, it is best to build a separate mysqladm user. Can be in
/etc/rc.local and other system startup scripts add a sentence:
Su mysqladm-c "/usr/local/mysql/share/mysql/mysql.server start"

This will also automatically start the MySQL process with the mysqladmin user after the system restarts.

7, the log file and upload directory audit and

Looking at the log and people's inertia has a lot to do with the large log file to find the attack traces in a haystack, and may not have. Web uploaded directories of files that should also be checked frequently, perhaps
There are problems with the program, the user passed some illegal files, such as execution scripts.

8, the operating system itself patch

, patching a known vulnerability to the system is the basic responsibility of the system administrator, and this is the last line of defense.


After the above configuration, although not impregnable, but also to a considerable extent to the attacker's test caused a lot of trouble, even if the PHP script program has a more serious vulnerabilities, the attackers can not cause the actual damage. If you have a more eccentric, more abnormal configuration method, want to share share;