Nov 1st, 2009
PHP Security
PHP Security
PHP as a module or as a CGI
Using PHP as a module is suitable for systems that are dedicated to a single purpose or for sites run by trusted groups of administrators and developers. Using PHP as a CGI (possibly with an execution wrapper) is a better option when users cannot be fully trusted.
When PHP is installed as a module, it becomes a part of Apache and performs all operations as the Apache user (usually httpd).
Using PHP as a CGI
Compiling PHP as a CGI is similar to compiling it for the situation where you are going to use it as a module. This mode of operation is the default for PHP, so there is no need to specify an option on the configure line.
Migrating from a module to CGI operation, therefore, requires modifying every script.
register_globals and allow_url_fopen
register_globals. This option is off by default as of PHP 4.2.0
allow_url_fopen, allows programmers to treat URLs as files.
Because of security reasons, we turn off these options in the php.ini file:
register_globals = Off
PHP uses modules to extend its functionality dynamically. Unlike Apache, PHP can load modules programmatically using the dl( ) function from a script. When a dynamic module is loaded, it integrates into PHP and runs with its full permissions.
Use the expose_php configuration directive to tell PHP to keep quiet.
Setting this directive to Off will prevent the version number from reaching the Server response header and special URLs from being processed:
The PHP configuration directives disable_functions and disable_classes allow arbitrary functions and classes to be disabled.
The most useful security-related PHP directive is open_basedir. It tells PHP which files it can access.
Given that web server root, here is how open_basedir should be set:
When PHP is compiled with a –enable-memory-limit, it becomes possible to put a limit on the amount of memory a script consumes. Consider using this option to prevent badly written scripts from using too much memory. The limit is set via the memory_limit option in the configuration file:
You can limit the size of each POST request. Other request methods can have a body, and this option applies to all of them. You will need to increase this value from the default value specified below if you plan to allow large file uploads:
The max_input_time option limits the time a PHP script can spend processing input.
The max_execution_time option limits the time a PHP script spends running.
File uploads can be turned on and off using the file_uploads directive.
Safe mode (http://www.php.net/manual/en/features.safe-mode.php) is an attempt of\PHP developers to enhance security of PHP deployments. Once this mode is enabled, the PHP engine imposes a series of restrictions, making script execution more secure.
PHP safe mode is a useful tool. We start by turning on the safe mode:
Safe mode puts restrictions on external process execution. Only binaries in the safe directory can be executed from PHP scripts:
The following functions are affected:
• exec( )
• system( )
• passthru( )
• popen( )
Some methods of program execution do not work in safe mode:
shell_exec( ) Disabled in safe mode.
backtick operator Disabled in safe mode.
dl( ) Disabled in safe mode.
Hardened-PHP (http://www.hardened-php.net) is a project that has a goal of remedying some of the shortcomings present in the mainstream PHP distribution.
Reference - http://www.php.net
