Php Security Preventing Information Disclosure
Disclosing information, such as errors, to attackers can leave your system in a vulnerable position. Before and during an attack, the attacker will need to acquire a wealth of general information about your system. This information includes your directory structure, database names, usernames, and more. Preventing PHP from printing errors to the web application’s user interface is one way to inhibit an attacker’s ability to gain information he could use to compromise your system.
When display_errors is disabled, your developers are still able to retrieve debugging information from the appropriate PHP logs.
Cpanel Tool to configure PHP and SuExec
Main >> Service Configuration >> Configure PHP and SuExec
This tool allows you to configure the Apache PHP Handler, the default PHP version and suEXEC support.
The default PHP version determines which version of PHP is used for files with a ‘.php’ extensions when served by Apache.
Enabling suEXEC provides support for Apache to run CGI programs as the user ID of the account owner. suEXEC is not PHPSuExec.
Please refer to the documentation for a detailed explanation of how each handler functions.
Reference: http://www.cpanel.net/support/docs/ea/ea3/ea3php_php_requests.html
PHP Safe Mode
If you are running a version of PHP older than 3.5.0, and you cannot enable safe mode, this page provides a couple of alternative measures you can take to better secure your PHP configuration.
In some cases, you may be able to use safe mode with a group ID (GID) check rather than a user ID (UID) check. This can be useful if, for example, you have multiple users deploying PHP scripts. To enable safe mode’s group ID check, change the following parameter:
You also may wish to limit directories that can contain include files or executables. To do so, you can specify 1 or both of the following parameters:
safe_mode_include_dir = /path/to/include/directory
safe_mode_exec_dir = /path/to/executable/directory
How PHP open_basedir works ?
PHP admin directives for open_basedir are added to each Virtual Host in httpd.conf. These directives limit users’ access via PHP to only the following directories:
/usr/lib/php
/usr/local/lib/php
/tmp
if php 4 is compiled into Apache, /usr/php4/lib/php and /usr/local/php4/lib/php
Cpanel PHP open_basedir Tweak
open_basedir: A feature that uses PHP to prevent users from opening files outside their home directories. This can be enabled using WHM’s PHP open_basedir Tweak feature.
This parameter allows you to limit file operations to a specific directory. Attackers will often attempt to find ways to include local files in PHP scripts to gain information about your server’s filesystem.
(WHM >> Security Center >> PHP open_basedir Tweak)
The open_basedir tweak prevents users from browsing the file system using PHP. It does this by limiting PHP’s access to the user’s home directory, /tmp, and a few necessary PHP system directories. If you wish to use the open_basedir tweak with a PHP handler other than DSO, you will need to manually specify the open_basedir directive in each user’s php.ini file.
To prevent accounts from accessing foreign files using PHP:
#Click the Enable php open_basedir Protection checkbox at the top of the list.
#Select domains you wish to exclude, disabling protection for their files.
#Click Save.