Enhance PHP's security _php base by configuring some of the server-side features of PHP

Improve PHP security by configuring some of the server-side features of PHP

by san@xfocus.org

The front like Shaun Clowes and RFP are more detailed about the PHP, CGI program in the process of programming problems encountered, and how to pass
Over the application vulnerabilities Breakthrough system, this article we have to use some of the PHP server-side features to configure the security of PHP to enhance. Write
CGI script we do pay attention to various security issues, strict filtering of user input, but often walk on the shore where there is not wet shoes
, eat sesame seeds where there is not to fall, people have lost hoof horse miss, even the famous Phpnuke, phpMyAdmin and other procedures have appeared very serious
Problem, not to mention the script that I've been writing for little punks. So now let's assume that the PHP script is already having serious problems, like a while ago
Phpnuke can upload a php script big problem, how we through the configuration of the server so that the script is so problem can not break through
System.

1, compile time to pay attention to the known vulnerabilities
 starts with 4.0.5, PHP's mail function adds a fifth parameter, but it doesn't filter properly, allowing PHP applications to break through
safe_mode to execute a command. So when using 4.0.5 and 4.0.6, we need to modify the PHP source package before compiling.
EXT/STANDARD/MAIL.C file, prohibit the mail function from the fifth parameter or filter the shell character. In the 152th of the mail.c file
 line, which is the following line:
if (extra_cmd!= NULL) {
 followed by extra_cmd=null; or extra_cmd = Php_escape_shell_cmd (extra_cmd); then compile PHP
 then we patched up the loophole.

2, modify the php.ini configuration file
 the PHP release version of the Php.ini-dist as the blueprint for the revision.
1) Error Handling and logging
In the error handling and logging part can make some settings. First find:
display_errors = On
php the error message is displayed by default, we change it to:
display_errors = Off
When the error is displayed, the PHP function does not display the wrong information to the user, which in some way prevents the attacker from
The error message that the physical location of the script, as well as some other useful information, at least to the attacker's black box detection caused a certain obstacle
. These error messages may be useful to us and can be written to the specified file, then modify the following:
log_errors = Off
Change to:
log_errors = On
and specify the file, locate the following line:
;error_log = filename
Remove the previous note, change the filename to the specified file, such as/usr/local/apache/logs/php_error.log
error_log =/usr/local/apache/logs/php_error.log
All errors will be written in the Php_error.log file.
2) Safe Mode
php's Safe_mode function restricts or disables many functions, and can solve PHP's security problems to a large extent. In
The safe mode section finds:
safe_mode = Off
Change to:
safe_mode = On
This opens the Safe_mode function. Like some functions that can perform system commands shell_exec () and ' are forbidden, the other one
Executive functions such as exec (), System (), PassThru (), Popen () will be restricted to perform only
safe_mode_exec_dir the program in the specified directory. If you are really going to execute some commands or procedures, find the following:
safe_mode_exec_dir =
Specifies the path of the program to be executed, such as:
safe_mode_exec_dir =/usr/local/php/exec
Then copy the program to the/usr/local/php/exec directory so that the restricted function like the above can execute the directory
Procedures in the.
For more information about restricted functions in safe mode, check out the instructions for the main PHP site:
http://www.php.net/manual/en/features.safe-mode.php
3) disable_functions
If you are not very clear about the harmfulness of some functions, and do not use them, simply disable these functions. Find the following line:
disable_functions =
After "=" plus the function to be banned, multiple functions separated by ",".

3. Modify Httpd.conf
 If you only allow your PHP script program to operate in a Web directory, you can also modify the httpd.conf file to restrict the way PHP is operated. Than
 as your web directory is/usr/local/apache/htdocs, then add a few lines to the httpd.conf:
<directory/usr/local/apache/htdocs>
php_admin_value Open_basedir/usr/local/apache/htdocs
</directory>
 this way, if the script is to read files other than/usr/local/apache/htdocs, it will not be allowed if the error appears open
 will prompt for such an error:
warning:open_basedir restriction in effect. The File is in wrong directory in
/usr/local/apache/htdocs/open.php on line 4
 and so on.

4, the PHP code to compile
zend contributes a lot to PHP, PhP4 's engine is Zend, and it also develops zendoptimizer and Zendencode
 and many other PHP-enhanced components. Optimizer Zendoptimizer can be obtained free of charge only with http://www.zend.com registration.
 The following are the Zendoptimizer for 4.0.5 and 4.0.6, and the file names are for each individual system:
zendoptimizer-1.1.0-php_4.0.5-freebsd4.0-i386.tar.gz
zendoptimizer-1.1.0-php_4.0.5-linux_glibc21-i386.tar.gz
zendoptimizer-1.1.0-php_4.0.5-solaris-sparc.tar.gz
zendoptimizer-1.1.0-php_4.0.5-windows-i386.zip
 Optimizer installation is very convenient, the package contains a detailed description. Take the UNIX version as an example, see the operating system, the bag
zendoptimizer.so file to a directory, assuming that the/usr/local/lib, in the php.ini add two sentences:
zend_optimizer.optimization_level=15
zend_extension= "/usr/local/lib/zendoptimizer.so"
 is OK. With Phpinfo () see the following text on the left side of the Zend icon:
with Zend Optimizer v1.1.0, Copyright (c) 1998-2000, by Zend Technologies
 So, the optimizer has been hooked up successfully.
 but compiler zendencode is not free, here to provide you with a http://www.PHPease.com ma Yong design
 compiler Enclosure, if used for commercial purposes, please contact http://www.zend.com to obtain the license agreement.
After the php script compiles, the script's execution speed increases many, the script file can see only a heap of garbled, this will prevent the attacker to further analyze the clothing
The script on the , and passwords previously stored in plaintext in PHP scripts are also kept secret, such as MySQL's password. But in the suit
 server to change the script is more trouble, or local change good upload it.

5, File and directory permission settings
In addition to uploading directories in the web directory, other directories and file permissions must not allow nobody users to have write permission. Otherwise, the attacker could
 to modify the home page files, so the permissions for the Web directory must be set up properly.
 also, the owner of a PHP script must not be root, because the function of the Safe_mode read file is limited to the owner of the read file
 is the same as the owner of the currently executing script, or the following error appears if the error appears to be open:
warning:safe MODE restriction in effect. The script whose UID is
allowed to access/etc/passwd owned by UID 0 in/usr/local/apache/htdocs/open.php
on Line 3
 so we can prevent many system files from being read, such as:/etc/passwd.
 upload directory and upload script owners also want to set the same, otherwise there will be errors, in Safe_mode under these should be noted.

6, the MySQL Start permission setting
mysql should note that do not use root to start, it is best to build another Mysqladm user. Can be in/etc/rc.local and other systems
 the startup script, add a sentence:
su mysqladm-c "/usr/local/mysql/share/mysql/mysql.server start"
 This system restarts, it will automatically start the MySQL process with the mysqladmin user.

7, the log file and upload directory audit and
 look at the log and people's inertia has a lot to do with the large log file to find the attack traces in a haystack, and may not have.
web uploaded directory of files, should also be regularly checked, perhaps the program has problems, the user passed some illegal documents, such as execution foot
 and so on.

8, the operating system itself patch
As with , patching a known vulnerability to the system is the basic responsibility of the system administrator, and this is the last line of defense.

Through the above configuration, although not impregnable, but also to a considerable extent to the attacker's test caused a lot of trouble, even if the PHP script
There are more serious loopholes in the order, and the attackers can not cause the actual damage.
If you have a more eccentric, more abnormal configuration method, wish to share and share; (Source: Viphot)