Restrict File Uploads in PHP configuration
Restricting all file uploads is an easy way to completely prevent attackers from exploiting your PHP configuration to inject their own PHP scripts. However, some developers will want to include the ability to upload files to your server via PHP. If you must allow file uploads, you should change the default temporary directory for file uploads using the upload_tmp_dir parameter.
Many administrators also choose to limit the maximum file size users can upload using the upload_max_filesize parameter. Setting this parameter is generally not intended to improve the security of your PHP configuration. Administrators choose to set this parameter to help manage the server’s PHP load.
Php Security Preventing Information Disclosure
Disclosing information, such as errors, to attackers can leave your system in a vulnerable position. Before and during an attack, the attacker will need to acquire a wealth of general information about your system. This information includes your directory structure, database names, usernames, and more. Preventing PHP from printing errors to the web application’s user interface is one way to inhibit an attacker’s ability to gain information he could use to compromise your system.
When display_errors is disabled, your developers are still able to retrieve debugging information from the appropriate PHP logs.
Cpanel Tool to configure PHP and SuExec
Main >> Service Configuration >> Configure PHP and SuExec
This tool allows you to configure the Apache PHP Handler, the default PHP version and suEXEC support.
The default PHP version determines which version of PHP is used for files with a ‘.php’ extensions when served by Apache.
Enabling suEXEC provides support for Apache to run CGI programs as the user ID of the account owner. suEXEC is not PHPSuExec.
Please refer to the documentation for a detailed explanation of how each handler functions.
Reference: http://www.cpanel.net/support/docs/ea/ea3/ea3php_php_requests.html
PHP Safe Mode
If you are running a version of PHP older than 3.5.0, and you cannot enable safe mode, this page provides a couple of alternative measures you can take to better secure your PHP configuration.
In some cases, you may be able to use safe mode with a group ID (GID) check rather than a user ID (UID) check. This can be useful if, for example, you have multiple users deploying PHP scripts. To enable safe mode’s group ID check, change the following parameter:
You also may wish to limit directories that can contain include files or executables. To do so, you can specify 1 or both of the following parameters:
safe_mode_include_dir = /path/to/include/directory
safe_mode_exec_dir = /path/to/executable/directory
How PHP open_basedir works ?
PHP admin directives for open_basedir are added to each Virtual Host in httpd.conf. These directives limit users’ access via PHP to only the following directories:
/usr/lib/php
/usr/local/lib/php
/tmp
if php 4 is compiled into Apache, /usr/php4/lib/php and /usr/local/php4/lib/php
