Improve PHP security by configuring some of the server-side features of PHP

Front like Shaun Clowes and RFP and so on are more detailed introduction of PHP, CGI program in the programming process encountered problems, and how to use the Application vulnerability Breakthrough System, this article we have some of PHP server-side features to configure to enhance PHP security. When writing CGI scripts, we do pay attention to various security issues, the user input for strict filtration, but often in the shore to go where there is not wet shoes, eat sesame seeds where there is no horse, people have lost shoes, even the famous Phpnuke, phpMyAdmin and other procedures have been very serious problems, Not to mention the script that I've been writing for little punks. So now let's assume that the PHP script has serious problems, such as the big problem of uploading PHP scripts like the previous Phpnuke, and how we can make the script appear so problematic through the configuration of the server that it doesn't break the system.

1, compile time to pay attention to the known vulnerabilities

Starting with 4.0.5, PHP's Mail function added the fifth parameter, but it didn't filter properly, allowing the PHP application to break through the safe_mode limit and execute the command. So when using 4.0.5 and 4.0.6, we need to modify the ext/standard/mail.c file in the PHP source package before compiling it, prohibit the mail function's fifth parameter or filter the shell character. In the 152th line of the mail.c file, which is the following line:

if (extra_cmd!= NULL) {

followed by extra_cmd=null or extra_cmd = Php_escape_shell_cmd (Extra_cmd), and then compiling PHP so we patched up the vulnerability.

2, modify the php.ini configuration file

The PHP release version of the Php.ini-dist as the blueprint for the revision.

1) Error Handling and logging

Some settings can be made in the error handling and logging sections. First find:

Display_errors = On

PHP defaults to open error message display, we change it to:

Display_errors = Off

When the error display is turned off, the PHP function does not display the wrong information to the user, which in some way prevents the attacker from knowing the physical location of the script from the error message, as well as some other useful information, at least causing a certain obstacle to the attacker's black box detection. These error messages may be useful to us and can be written to the specified file, then modify the following:

Log_errors = Off

To

Log_errors = On

and the specified file, locate the following line:

; error_log = filename

Remove the previous note, change the filename to the specified file, such as/usr/local/apache/logs/php_error.log

Error_log =/usr/local/apache/logs/php_error.log

So all the mistakes will be written in the Php_error.log file.

2) Safe Mode

PHP's Safe_mode function restricts or disables many functions, and can solve PHP's security problems to a large extent. Find in the Safe Mode section:

Safe_mode = Off

To

Safe_mode = On

This turns on the Safe_mode feature. Like some functions that can perform system commands shell_exec () and ' are forbidden, some other executive functions such as exec (), System (), PassThru (), Popen () will be restricted to perform only safe_mode_exec_ DIR Specifies the program in the directory. If you are really going to execute some commands or procedures, find the following:

Safe_mode_exec_dir =

Specifies the path of the program to be executed, such as:

Safe_mode_exec_dir =/usr/local/php/exec

Then copy the program you want to use into the/usr/local/php/exec directory, so that the restricted function like the above can execute the program in that directory.

For more information about restricted functions in safe mode, see the instructions for the main PHP site:

http://www.php.net/manual/en/features.safe-mode.php;

3) Disable_functions

If you are not very clear about the harmfulness of some functions, and do not use them, simply disable these functions. Find the following line:

Disable_functions =

After "=" plus the function to be banned, multiple functions are separated by ",".