Archive for April, 2011

SBDavid

PHP security restricting Includes

PHP security restricting Includes

Local include attacks occur when an attacker is able to pull local files into PHP scripts to view sensitive information on or about your system. For example, an attacker may be able to include and subsequently view the /etc/passwd file using a PHP inclusion vulnerability, in effect acquiring some basic information about every account associated with your web server.

To help prevent local include vulnerabilities, you can set the open_basedir parameter in your PHP configuration to a specific directory. This will limit an attacker’s access via local includes to a single directory. In most cases, you will want to set the open_basedir parameter to a public_html directory, allowing PHP to open and modify HTTP-accessible (public) files contained within the specified directory while limiting access to more sensitive information contained outside of the specified directory

SBDavid

rebuild_phpconf help options

rebuild_phpconf help options

To see a list of all options and arguments for this script, type the following from the command line:

/usr/local/cpanel/bin/rebuild_phpconf –help

The system will display usage information as follows:

Usage: /usr/local/cpanel/bin/rebuild_phpconf [--dryrun] [--no-restart] [--no-htaccess]
[--current|--available]
–dryrun : Only display the changes that would be made
–no-restart : Don’t restart Apache after updating the php.conf link
–no-htaccess : Don’t update user configurable PHP mime mapping.
–current : Show current settings
–available : Show available handlers and PHP SAPIs
[Default PHP] : Version of PHP to set as default handler for .php files
[PHP# Handler] : Type of Apache module to use in serving PHP requests
: enabled, disabled, 1 or 0

The rebuild_phpconf script on your server allows you to udpate your server’s php.conf file (located at /usr/local/cpanel/bin/rebuild_phpconf). By doing this, you can change Apache’s PHP handler configuration, change the default version of PHP used by your server, and enable or disable the suEXEC feature.

Note: This script offers nearly the same functionality as the WHM Configure PHP and suEXEC feature. Users more comfortable with a graphical interface may prefer that method.

To see a list of all options and arguments for this script, type the following from the command line:

/usr/local/cpanel/bin/rebuild_phpconf –help
SBDavid

Initial Set Up for Quotas on Cpanel

Initial Set Up for Quotas on Cpanel

This is the final stage of the Initial Setup process. You will need to select whether you would like to track disk usage on your server. This is generally a good idea if you plan to lease server space to individual users. However, if you do not plan to host individual accounts on your server, you may not need to enable quotas.

To set up quotas:

Select Use file system quotas.
This is a good idea if you plan to host individual accounts on your server.

To disable quotas:

Select Do not use file system quotas.
This is not a good idea if you plan to host individual accounts on your server.

Once you have finished, click the Finish Setup Wizard button. You will then be taken to the WHM homepage.

Restrict File Uploads in PHP configuration

Restricting all file uploads is an easy way to completely prevent attackers from exploiting your PHP configuration to inject their own PHP scripts. However, some developers will want to include the ability to upload files to your server via PHP. If you must allow file uploads, you should change the default temporary directory for file uploads using the upload_tmp_dir parameter.

Many administrators also choose to limit the maximum file size users can upload using the upload_max_filesize parameter. Setting this parameter is generally not intended to improve the security of your PHP configuration. Administrators choose to set this parameter to help manage the server’s PHP load.

Next »