Enhanced PHP Security through configuration of some server-side features of PHP
by san@xfocus.org
The front like Shaun Clowes and RFP are more detailed introduction of the PHP, CGI program encountered in the programming process, and how to pass
Over the application vulnerability Breakout system, this article is to be configured to enhance PHP security by configuring some of the server-side features of PHP. Write
CGI script we certainly pay attention to a variety of security issues, the user input is strictly filtered, but often on the shore where there are not wet shoes
, eat sesame seeds which do not fall, people have lost hoof horse has misses, even the famous Phpnuke, phpMyAdmin and other procedures have appeared very serious
Problem, not to mention the script that I've been writing to. So now we're assuming that PHP scripts are already having serious problems, like a while ago
Phpnuke can upload php script big problem, how we configure the server to make the script appear so problem and can not break through
System.
1, compile the time to pay attention to fill in the known loopholes
Starting with 4.0.5, the PHP mail function added the fifth parameter, but it did not filter properly, allowing the PHP application to break
Safe_mode to execute the command. So when using 4.0.5 and 4.0.6, we need to modify the PHP source package before compiling.
The ext/standard/mail.c file prohibits the fifth parameter of the mail function or filters the shell characters. In the 152th of the mail.c file
Line, which is the following line:
if (extra_cmd! = NULL) {
Add Extra_cmd=null to the back, or Extra_cmd = Php_escape_shell_cmd (extra_cmd), then compile PHP
So we patched up this loophole.
2. Modify the php.ini configuration file
The PHP release version of the Php.ini-dist as a blueprint for modification.
1) Error Handling and logging
Some settings can be made in the error handling and Logging section. Find it first:
Display_errors = On
PHP default is to open the error message displayed, we changed it to:
Display_errors = Off
When the error display is turned off, the PHP function does not display the wrong information to the user, which can prevent the attacker from
Error messages about the physical location of the script, as well as some other useful information, at least to the attacker's black box detection caused some obstacles
。 These error messages may be useful to us and can be written to the specified file, so modify the following:
Log_errors = Off
Switch
Log_errors = On
and specify the file, locate the following line:
; error_log = filename
Remove the previous; note to change the filename to a specified file, such as/usr/local/apache/logs/php_error.log
Error_log =/usr/local/apache/logs/php_error.log
All errors will be written in the Php_error.log file.
2) Safe Mode
PHP's Safe_mode function has limited or disabled many functions, which can solve the security problem of PHP to a great extent. In
The Safe mode section finds:
Safe_mode = Off
Switch
Safe_mode = On
This opens the Safe_mode feature. Like some functions that can execute system commands shell_exec () and ' are forbidden, the other one
Some execution functions such as: exec (), System (), PassThru (), Popen () will be restricted to execute only
Safe_mode_exec_dir the program under the specified directory. If you are really going to execute some commands or programs, find the following:
Safe_mode_exec_dir =
Specifies the path to the program to execute, such as:
Safe_mode_exec_dir =/usr/local/php/exec
Then the program to be used is copied to the/usr/local/php/exec directory, so that the restricted function like above can also execute the directory
The program.
For more information about restricted functions in safe mode, see the instructions for the main PHP station:
http://www.php.net/manual/en/features.safe-mode.php
3) Disable_functions
If you are not sure about the harmfulness of some functions, and you are not using them, simply disable these functions. Find the following line:
Disable_functions =
After "=", add the function to be forbidden, and multiple functions are separated by ",".
3, modify the httpd.conf
If you only allow your PHP script to operate in the Web directory, you can also modify the httpd.conf file to restrict the PHP operation path. Than
If your web directory is/usr/local/apache/htdocs, then add a few lines to the httpd.conf:
Php_admin_value Open_basedir/usr/local/apache/htdocs
This way, if the script is to read a file other than/usr/local/apache/htdocs will not be allowed, if the error display is open
Will prompt for such errors:
Warning:open_basedir restriction in effect. File is in wrong directory in
/usr/local/apache/htdocs/open.php on line 4
Wait a minute.
4. Compile the PHP code
Zend contributed a lot to PHP, PhP4 's engine was Zend, and it developed Zendoptimizer and Zendencode.
such as many of the enhanced components of PHP. Optimizer Zendoptimizer can be obtained free of charge only by registering in http://www.zend.com
The following are zendoptimizer for 4.0.5 and 4.0.6, respectively, for the respective system:
Zendoptimizer-1.1.0-php_4.0.5-freebsd4.0-i386.tar.gz
Zendoptimizer-1.1.0-php_4.0.5-linux_glibc21-i386.tar.gz
Zendoptimizer-1.1.0-php_4.0.5-solaris-sparc.tar.gz
Zendoptimizer-1.1.0-php_4.0.5-windows-i386.zip
The optimizer is very easy to install, with detailed instructions in the package. Take the UNIX version for example, see the operating system, the package
zendoptimizer.so file to a directory, assuming that the/usr/local/lib, in the php.ini add two sentences:
Zend_optimizer.optimization_level=15
zend_extension= "/usr/local/lib/zendoptimizer.so"
You can do it. Use Phpinfo () to see the Zend icon to the left with the following text:
With Zend Optimizer v1.1.0, Copyright (c) 1998-2000, by Zend Technologies
Well, the optimizer has hooked up successfully.
But the compiler zendencode is not free, here to give you a http://www.PHPease.com ma Yong design
Compiler shell, if used for commercial purposes, contact http://www.zend.com to obtain the license agreement.
After the PHP script compiles, the script executes a lot faster, the script file can only see a bunch of garbled characters, which will prevent the attacker to further analyze the service
scripts, and passwords that were previously stored in plaintext in PHP scripts are also kept secret, such as the password for MySQL. But in the service
The server side of the script is more trouble, or local change good to upload it.
5. Permissions settings for files and directories
In addition to uploading directories in the Web directory, the permissions of other directories and files must not allow nobody users to have write access. Otherwise, an attacker could
To modify the home page file, so the permissions for the Web directory must be set.
Also, the owner of the PHP script must not be root, because the function of Safe_mode reading the file is limited to the owner of the file to be read.
Is the same as the owner of the currently executing script to be read, otherwise an error such as the following will be displayed if the error display is open:
Warning:safe MODE restriction in effect. The script whose UID is
Allowed to access/etc/passwd owned by UID 0 in/usr/local/apache/htdocs/open.php
On line 3
This way we can prevent many system files from being read, such as/etc/passwd.
The owner of the upload directory and upload script must also be set to the same, otherwise there will be errors, under the Safe_mode these should be noted.
6. mysql Startup permission settings
MySQL to note is not to start with root, it is best to build another Mysqladm user. Can be in/etc/rc.local and other systems
Add a sentence in the startup script:
Su mysqladm-c "/usr/local/mysql/share/mysql/mysql.server start"
This will also automatically start the MySQL process with the mysqladmin user after the system restarts.
7, log files and upload directory of the audit and
It is very important to look at the log and the inertia of the person, to look for the traces of the attack from such a large log file.
Web upload directory files, should also check frequently, perhaps the program has a problem, the user sent some illegal files, such as the execution of the foot
of the.
8, the operating system itself patch
, patching a known vulnerability to the system is the most basic responsibility of the system administrator, and this is the last line of defense.
The above configuration, although not impregnable, but also to a considerable extent to the attacker's testing caused a lot of trouble, even if the PHP script process
More serious vulnerabilities in the sequence, and the attacker could not cause actual damage.
If you have a more eccentric, more perverted configuration method, hoping to share it together;) (Source: Viphot)
http://www.bkjia.com/PHPjc/314471.html www.bkjia.com true http://www.bkjia.com/PHPjc/314471.html techarticle through the configuration of some server-side features of PHP to enhance the security of PHP by san@xfocus.org front like Shaun Clowes and RFP, etc. are more detailed introduction of PHP, CGI program encountered in the programming process of the Q ...
