PHP

Posted on Sunday March 13, 2016 / by Eric Potvin

PHP's default configuration contains a set of rules and functionalities that can be used to help secure your web applications.

php.ini

All the settings are located in the /etc/php5/apache2/php.ini. First, let's open this file.

sudo vi /etc/php5/apache2/php.ini

Safe Mode

Safe Mode should be On. It checks if functions in one file on the server that affect other files all have the same ownership.

Safe mode will also restrict executables that may be run by scripts in the same way it restricts file and directory access. Safe mode can also be configured so that only executables in a certain directory can be run. This can help limit exposure of shell commands to certain scripts.

safe_mode = On
safe_mode_gid = On
sql.safe_mode=On

If you want to limit directories of included or executed files, you can update the following directives:

safe_mode_include_dir = /path/to/dir
safe_mode_exec_dir = /path/to/exec/dir

Disable Globals

Global variables are very unsave and needs to be set to Off.

register_globals = Off

Hide PHP Information

to restrict PHP information leakage disable expose_php.

expose_php = Off
track_errors = Off
html_errors = Off

Hide errors

Hide all php errors, hackers will use information that your web server exposes in order to gain information. Error messages are the first information they can get to start their attacks.

display_errors = Off

Disabling Functionality

There are some PHP functionality that are unsafe to use. Use un-wisely, they can harm your system and make your server vulnerable to attacks. By disabling these functions, you prevent users and attackers from utilizing these functions.

disable_functions = php_uname, getmyuid, getmypid, passthru, leak, listen, diskfreespace, tmpfile, link, ignore_user_abord, shell_exec, dl, set_time_limit, exec, system, highlight_file, source, show_source, fpaththru, virtual, posix_ctermid, posix_getcwd, posix_getegid, posix_geteuid, posix_getgid, posix_getgrgid, posix_getgrnam, posix_getgroups, posix_getlogin, posix_getpgid, posix_getpgrp, posix_getpid, posix, _getppid, posix_getpwnam, posix_getpwuid, posix_getrlimit, posix_getsid, posix_getuid, posix_isatty, posix_kill, posix_mkfifo, posix_setegid, posix_seteuid, posix_setgid, posix_setpgid, posix_setsid, posix_setuid, posix_times, posix_ttyname, posix_uname, proc_open, proc_close, proc_get_status, proc_nice, proc_terminate, phpinfo

Disable Remote File Includes

By allowing remote file inclusion, hackers can include file remotely that can harm your system. It is recommended to disable this.

allow_url_fopen = Off
allow_url_include = Off

Restrict File Uploads

If you are not using the file uploads functionality, you should disable it. Uploading files is one technique hackers do to upload virues or trojans.

file_uploads = Off

If this function is essential for you, you should limit the maximum size and upload folder.

upload_tmp_dir = /var/php_tmp
upload_max_filezize = 2M

Resource Control

You can set maximum execution time of each php script, set maximum amount of time each script may spend parsing request data, and maximum amount of memory a script may consume.

max_execution_time =  10
max_input_time = 30
memory_limit = 40M

Control POST Size

The HTTP POST request method is used when the client needs to send data to the Apache web server via a form for example. A basic attacks will attempt to send oversized POST requests to eat your system resources.

You can limit the maximum size POST request that PHP will process.

post_max_size=1K

Protect Sessions

Make sure the web server can read and write to the location you specify. You also need to make sure PHP writes cookies that can't be read from JavaScript. This will prevent Cross Site Scripting in your web applications.

session.cookie_httponly = 1

You can prevent users from accidentally publishing session information to an external users.

session.referer_check = mydomain.com

magic_quotes_gpc

magic_quotes_gpc should always be Off. You should always clean the data in your PHP code.

magic_quotes_gpc=Off

suhosin

Suhosin is an advanced protection system for PHP installations. It was designed to protect servers and users from known and unknown flaws in PHP applications and the PHP core.

Install suhosin

sudo apt-get install php5-suhosin

Configure suhosin

To edit the suhosin, you need to opent the suhosin.ini located in /etc/php5/conf.d.

sudo vi /etc/php5/conf.d/suhosin.ini

Enable suhosin

extension=suhosin.so

Disable session encryption

suhosin.session.encrypt = Off

Log all errors

suhosin.log.syslog=511

Max traversal

Set the maximal depth of paths, eg: ../../.

suhosin.executor.include.max_traversal=4

Disable eval

suhosin.executor.disable_eval=On

Disable /e modifier

suhosin.executor.disable_emodifier=On

Disallow newlines in Subject:, To: headers and double newlines in additional headers

suhosin.mail.protect=2

Recommend Settings

Silently fail all failed sql queries:

suhosin.sql.bailout_on_error=On

Filtering Options

suhosin.cookie.max_vars = 2048
suhosin.get.max_array_index_length = 256
suhosin.post.max_array_index_length = 256
suhosin.post.max_totalname_length = 8192
suhosin.post.max_vars = 2048
suhosin.request.max_totalname_length = 8192
suhosin.request.max_varname_length = 256

Restart Apache

sudo service apache2 restart