Enhanced PHP Security through configuration of server-side features

Author: San < xuzhikun@nsfocus.com >
Home: http://www.nsfocus.com
Date: 2001-11-15

The front like Shaun Clowes and RFP are more detailed introduction of PHP, CGI program encountered in the programming process, and how to break through the system through application vulnerabilities, this article we have some PHP server-side features to be configured to enhance the security of PHP. Write CGI script when we do certainly pay attention to a variety of security issues, the user input strict filtering, but often on the shore where there are not wet shoes, eat sesame seeds which do not drop sesame, people have lost hoof horse has misses, even the famous Phpnuke, phpMyAdmin and other procedures have appeared very serious problems, Not to mention the script that I waited for the little punk to write. So now let's assume that PHP scripts are already having serious problems, such as the big problem of uploading PHP scripts for a while, and how we can make the script so problematic and not break through the system by configuring the server Phpnuke.

1, compile the time to pay attention to fill in the known loopholes

Starting with 4.0.5, the PHP mail function adds a fifth parameter, but it does not filter properly, allowing the PHP application to break the Safe_mode limit and execute the command. So when using 4.0.5 and 4.0.6, we need to modify the PHP source package before compiling.
The ext/standard/mail.c file prohibits the fifth parameter of the mail function or filters the shell characters. In MAIL.C
The 152th line of the file, which is the following line:
if (extra_cmd! = NULL) {
Add Extra_cmd=null to the rear, or Extra_cmd = Php_escape_shell_cmd (extra_cmd);
And then compile PHP, then we patched up the bug.

2. Modify the php.ini configuration file

The PHP release version of the Php.ini-dist as a blueprint for modification.
1) Error Handling and logging
Some settings can be made in the error handling and Logging section. Find it first:
Display_errors = On
PHP default is to open the error message displayed, we changed it to:
Display_errors = Off

When the error display is turned off, the PHP function error message will no longer be displayed to the user, which can be
To prevent attackers from knowing the physical location of the script and some other useful information from the error message, at least to the attacker's black-box detection caused some obstacles. These error messages may be useful to us and can be written to the specified file, so modify the following:
Log_errors = Off
Switch
Log_errors = On

and specify the file, locate the following line:
; error_log = filename
Remove the previous comment and change the filename to the specified file, as
/usr/local/apache/logs/php_error.log

Error_log =/usr/local/apache/logs/php_error.log
All errors will be written in the Php_error.log file.

2) Safe Mode

PHP's Safe_mode functionality has been limited or disabled for many functions, and can be largely solved by PHP's
Security issues. Found in the Safe Mode section:
Safe_mode = Off
Switch
Safe_mode = On

This opens the Safe_mode feature. Like some functions that can execute system commands shell_exec () and ' are forbidden, some other execution functions such as: exec (), System (), PassThru (), Popen () will be restricted to perform only safe_mode_exec_ DIR Specifies the program under the directory. If you are really going to execute some commands or programs, find the following:
Safe_mode_exec_dir =
Specifies the path to the program to execute, such as:
Safe_mode_exec_dir =/usr/local/php/exec

Then the program to be used is copied to the/usr/local/php/exec directory, so that, like the above is restricted
Function can also execute the program in that directory.

For more information about restricted functions in safe mode, see the instructions for the main PHP station:
http://www.php.net/manual/en/features.safe-mode.php

3) Disable_functions

If you are not very clear about the harmfulness of some functions, and do not use them, simply disable these functions
Stop. Find the following line:
Disable_functions =
After "=", add the function to be forbidden, and multiple functions are separated by ",".

3, modify the httpd.conf

If you only allow your PHP script to operate in the Web directory, you can also modify the httpd.conf file to restrict the PHP operation path. For example, if your web directory is/usr/local/apache/htdocs, then
The httpd.conf adds a few lines:

　
Php_admin_value Open_basedir/usr/local/apache/htdocs
　

This way, if the script is to read a file other than/usr/local/apache/htdocs will not be allowed,
If the error display is open,

Will prompt for such errors:
Warning:open_basedir restriction in effect. File is in wrong directory in
/usr/local/apache/htdocs/open.php on line 4
Wait a minute.

4. Compile the PHP code

Zend has contributed a lot to PHP, PhP4 's engine is Zend, and it has developed zendoptimizer
And Zendencode, and many other PHP-enhanced components. The optimizer Zendoptimizer simply
Http://www.zend.com registration can be obtained free of charge, the following are for 4.0.5 and 4.0.6
Zendoptimizer, file names for each of the respective systems:

Zendoptimizer-1[1].1.0-php_4.0.5-freebsd4.0-i386.tar.gz
Zendoptimizer-1[1].1.0-php_4.0.5-linux_glibc21-i386.tar.gz
Zendoptimizer-1[1].1.0-php_4.0.5-solaris-sparc.tar.gz
Zendoptimizer-1[1].1.0-php_4.0.5-windows-i386.zip


The optimizer is very easy to install, with detailed instructions in the package. In the case of UNIX versions, see
The zendoptimizer.so file in the package into a directory, assuming that the/usr/local/lib
Next, add two sentences to the php.ini:
Zend_optimizer.optimization_level=15
zend_extension= "/usr/local/lib/zendoptimizer.so"

You can do it. Use Phpinfo () to see the Zend icon to the left with the following text:
With Zend Optimizer v1.1.0, Copyright (c) 1998-2000, by Zend Technologies

Well, the optimizer has hooked up successfully.
But the compiler zendencode is not free, here is to provide you with a
Http://www.PHPease.com the MA Yong design of the compiler shell, if used for commercial purposes, please contact the
Http://www.zend.com Contact to obtain the license agreement.

After the PHP script compiles, the script executes a lot faster, the script file can only see a bunch of garbled characters, which will
Prevents an attacker from further analyzing the script on the server and originally stored in plaintext in a PHP script
Password has also been kept secret, such as MySQL password. But in the server-side to change the script is more troublesome,
Change it locally and upload it again.


5. Permissions settings for files and directories

In addition to uploading directories in the Web directory, the permissions of other directories and files must not allow nobody users to write
Permissions. Otherwise, the attacker can modify the home page file, so the permissions of the Web directory must be set.
。 Also, the owner of the PHP script must not be root, because the function of the Safe_mode read file is limited
The owner of the file being read must be the same as the owner of the current execution script to be read, otherwise if
Error displays such as the following error if it is turned on:

Warning:safe MODE restriction in effect. The script whose UID is
Allowed to access/etc/passwd owned by UID 0 in/usr/local/apache/htdocs/open.php
On line 3
This way we can prevent many system files from being read, such as/etc/passwd.

The owner of the upload directory and upload script must also be set to the same, otherwise there will be errors, under Safe_mode
These should be noted.

6. mysql Startup permission settings


MySQL to note is not to start with root, it is best to build another Mysqladm user. Can be in
Add a sentence in the system startup script such as/etc/rc.local:
Su mysqladm-c "/usr/local/mysql/share/mysql/mysql.server start"

This will also automatically start the MySQL process with the mysqladmin user after the system restarts.

7, log files and upload directory of the audit and

It is very important to look at the log and the inertia of the person, to look for the traces of the attack from such a large log file. The files in the Web-uploaded directory should also be checked frequently, perhaps
There is a problem with the program, the user sent some illegal files, such as executing scripts.

8, the operating system itself patch

, patching a known vulnerability to the system is the most basic responsibility of the system administrator, and this is the last line of defense.
　

The above configuration, although not impregnable, but also to a considerable extent to the attacker's testing caused a lot of trouble, even if the PHP script has a more serious vulnerability, the attacker can not cause real damage. If you have more quirky, more perverted configuration methods, you want to share it together;)

