About Me

My photo
Kolkata - Durgapur - Santiniketan - Sainthia, West Bengal, India
A competent professional of about 3 Years of Experience in the Web Application and Development Scenario. Currently associated with also a web development company; Kolkata as a Project Leader. A result-oriented Team Player with proven expertise in Analysis / Development / Research / Project & Process Management/ Client Servicing. Exceptional analysis and problem solving skills to cut across the organisational levels and accomplish project business goals of the Organisation. Myself, very hardworking, committed, focused, think logically, talented, sincere on my work, doesn't stop until achieves success.

Thursday, October 11, 2012

PHP Security Tips

Default Settings
  • DocumentRoot: /var/www/html
  • Default Web server: Apache ( you can use Lighttpd or Nginx instead of Apache)
  • Default PHP configuration file: /etc/php.ini
  • Default PHP extensions config directory: /etc/php.d/
  • Our sample php security config file: /etc/php.d/security.ini (you need to create this file using a text editor)
  • Operating systems: RHEL / CentOS / Fedora Linux (the instructions should work with any other Linux distributions such as Debian / Ubuntu or other Unix like operating systems such as OpenBSD/FreeBSD/HP-UX).
  • Default php server TCP/UDP ports: none

Find Built-in PHP Modules

To see the set of compiled-in PHP modules type the following command:
# php -m

I recommends that you use PHP with a reduced modules for performance and security and disabled the unnecessaryssary modules like as follows;
# rm /etc/php.d/sqlite3.ini
# mv /etc/php.d/sqlite3.ini /etc/php.d/sqlite3.disable


Restrict PHP Information Leakage

To restrict PHP information leakage disable expose_php. Edit /etc/php.d/secutity.ini and set the following directive: expose_php=Off

When enabled, expose_php reports to the world that PHP is installed on the server, which includes the PHP version within the HTTP header (e.g., X-Powered-By: PHP/5.3.3). The PHP logo guids are also exposed, thus appending them to the URL of a PHP enabled site will display the appropriate logo. When expose_php enabled you can see php version using the following command:
$ curl -I http://www.google.com/index.php



Minimize Loadable PHP Modules (Dynamic Extensions)

PHP supports "Dynamic Extensions". By default, RHEL loads all the extension modules found in /etc/php.d/ directory. To enable or disable a particular module, just find the configuration file in /etc/php.d/ directory and comment the module name. You can also rename or delete module configuration file. For best PHP performance and security, you should only enable the extensions your webapps requires. For example, to disable gd extension, type the following commands:

# cd /etc/php.d/
# mv gd.{ini,disable}
# /sbin/service httpd restart

To enable php module called gd, enter:

# mv gd.{disable,ini}
# /sbin/service httpd restart



Log All PHP Errors

Do not expose PHP error messages to all site visitors. Edit /etc/php.d/security.ini and set the following directive:

display_errors=Off
log_errors=On
error_log=/var/log/httpd/php_scripts_error.log

Turn Off Remote Code Execution

If enabled, allow_url_fopen allows PHP's file functions -- such as file_get_contents() and the include and require statements -- can retrieve data from remote locations, like an FTP or web site.

The allow_url_fopen option allows PHP's file functions - such as file_get_contents() and the include and require statements - can retrieve data from remote locations using ftp or http protocols. Programmers frequently forget this and don't do proper input filtering when passing user-provided data to these functions, opening them up to code injection vulnerabilities. A large number of code injection vulnerabilities reported in PHP-based web applications are caused by the combination of enabling allow_url_fopen and bad input filtering. Edit /etc/php.d/security.ini and set the following directive:allow_url_fopen=Off

I also recommend to disable allow_url_include for security reasons:allow_url_include=Off


Enable SQL Safe Mode

sql.safe_mode=On
magic_quotes_gpc=Off


Control POST Size

post_max_size=1K

  Order allow,deny
 ## Add rest of the config goes here... ##


Resource Control (DoS Control)

# set in seconds
max_execution_time = 30
max_input_time = 30
memory_limit = 40M

Disabling Dangerous PHP Functions
PHP has a lot of functions which can be used to crack your server if not used properly. You can set list of functions in /etc/php.d/security.inidisable_functions

=exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source


PHP Fastcgi / CGI - cgi.force_redirect Directive

PHP work with FastCGI. Fascgi reduces the memory footprint of your web server, but still gives you the speed and power of the entire PHP language. You can configureApache2+PHP+FastCGI or cgi as described here. The configuration directive cgi.force_redirect prevents anyone from calling PHP directly with a URL like http://www.cyberciti.biz/cgi-bin/php/hackerdir/backdoor.php. Turn on cgi.force_redirect for security reasons. Edit /etc/php.d/security.ini and set the following directive: cgi.force_redirect=On


PHP User and Group ID

Limit PHP Access To File System

Session Path

Restrict File and Directory Access

Write Protect Apache, PHP, and, MySQL Configuration Files

Use Linux Security Extensions (such as SELinux)

Install Mod_security

Run Apache / PHP In a Chroot Jail If Possible

Use Firewall To Restrict Outgoing Connections

Watch Your Logs & Auditing

Run Service Per System or VM Instance

Keep PHP, Software, And OS Up to Date
Posted by at No comments:

Know Your Enemy - PHP Security Best Practices For System Admin (Linux)

PHP based apps can face the different types of attacks. I have noticed the different types of attacks:

XSS - Cross-site scripting is a vulnerability in php web applications, which attackers may exploit to steal users' information. You can configure Apache and write more secure PHP scripts (validating all user input) to avoid xss attacks.

SQL injection - It is a vulnerability in the database layer of an php application. When user input is incorrectly filtered any SQL statements can be executed by the application. You can configure Apache and write secure code (validating and escaping all user input) to avoid SQL injection attacks. A common practice in PHP is to escape parameters using the function called mysql_real_escape_string() before sending the SQL query.
Spoofing

File uploads - It allows your visitor to place files (upload files) on your server. This can result into various security problems such as delete your files, delete database, get user details and much more. You can disable file uploads using php or write secure code (like validating user input and only allow image file type such as png or gif).

Including local and remote files - An attacker can open files from remote server and execute any PHP code. This allows them to upload file, delete file and install backdoors. You can configure php to disable remote file execution.

eval() - Evaluate a string as PHP code. This is often used by an attacker to hide their code and tools on the server itself. You can configure php to disable eval().

Sea-surf Attack (Cross-site request forgery - CSRF) - This attack forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the administrator account, this can compromise the entire web application.
Posted by at No comments:
Subscribe to: Posts (Atom)

Popular Posts