The front like Shaun Clows and RFPs have more detailed introduction to the PHP, the CGI program encountered during programming, and how to break through the system through application vulnerabilities, this article we come through some server-side characteristics of PHP Configure the security of PHP. When writing CGI scripts, we really pay attention to various security issues, strictly filtering the user input, but often do not have wet shoes on the shore, eat biscuits, no sesame, people have lost horses, Even the famous PHPNUKE, PHPMYADMIN and other programs have a very serious problem, not to mention the scripts that are mixed with a small mix. So now we assume that the PHP script has a serious problem. For example, the PHPNUK can upload the PHP script. How do we make the script so that the script does not break through the system by configuring the server.
1. Pay attention to the known vulnerabilities when compiling
Starting from 4.0.5, the Mail function of PHP joins the fifth parameters, but it does not filter, so that the PHP application can break through the SAFE_MODE limit to execute the command. So when using 4.0.5 and 4.0.6, we need to modify the Ext / Standard / Mail.c file in the PHP source package before compile, or filter the SHELL character. On the 152nd line of the mail.c file, it is below:
IF (extra_cmd! = null) {
Adding extra_cmd = null; or extra_cmd = php_escape_shell_cmd (extra_cmd); then compiling PHP then we will fix this vulnerability.
2, modify the php.ini configuration file
Changes to Blue this with php.ini-distth of the PHP release.
1) Error Handling and Logging
You can do some settings in the Error Handling and LogGing section. Found first:
Display_errors = on
PHP default is to open an error message, we change it to:
Display_errors = OFF
After the error is turned off, the PHP function executes the error message will not be displayed to the user, so that the attacker can prevent the attacker from the physical location of the script from the error message, and some other useful information, at least to the attacker Black box detection causes a certain obstacle. These error messages may be useful to us, let it write to the specified file, then modify the following:
Log_ERRORS = OFF
Change to:
Log_ERRORS = ON
And specify the file, find the following line:
Error_log = filename
Remove the front; note, change filename to specify file, such as /usr/local/apache/logs/php_error.log
Error_log = /usr/local/apache/logs/php_error.log
All errors will be written to the php_error.log file.
2) SAFE MODE
PHP's SAFE_MODE feature is restricted or disabled for many functions, which can solve PHP security issues to a large extent. Find in the Safe Mode section:
SAFE_MODE = OFF
Change to:
SAFE_MODE = ON
This opens the SAFE_MODE function. Like some function shell_exec () and `` that can execute system commands, other execution functions such as: Exec (), system (), passthru (), POPEN () will be restricted can only perform SAFE_MODE_EXEC_DIR specified in the specified directory program. If you really want to execute some commands or programs, find the following:
SAFE_MODE_EXEC_DIR = Specifies the path to the program to be executed, such as:
SAFE_MODE_EXEC_DIR = / usr / local / PHP / EXEC
Then copy the program you want to / usr / local / php / exec directory, so that the limit of the restricted function is also executed in this directory.
For more information on the limit function under safe mode, please check the instructions for the PHP master:
http://www.php.net/manual/en/features.safe-mode.php
3) disable_functions
If you are not very harmful to some of the functions, and it is not used, and the sure is prohibited from these functions. Find this below:
Disable_functions =
In the "=", add the function you want to disable, and multiple functions are separated by ",".
3, modify httpd.conf
If you only allow your PHP script to operate in a web directory, you can also modify the HTTPD.conf file to limit the PHP's operation path. For example, your web directory is / usr / local / apache / htdocs, then plus such a few lines in httpd.conf:
PHP_ADMIN_VALUE OPEN_BASEDIR / USR / LOCAL / APACHE / HTDOCS
This way, if the script is read / usr / local / apache / htdoCs will not be allowed, if the error is displayed, this error is prompted:
Warning: Open_Basedir Restriction in Effect. File is in Wrong Directory in
/usr/local/apache/htdocs/open.php on line 4, etc.
4, compile PHP code
Zend's contribution to PHP is very large, and PHP4 engine is used in Zend, and it has also developed many PHP enhancement components such as Zendoptimizer and ZendEncode. Optimizer Zendoptimizer is just free at http://www.zend.com, you can get free of charge, the following is the ZendOptimizer for 4.0.5 and 4.0.6, file names for their respective systems:
ZendOptimizer-1.1.0-php_4.0.5-freebsd4.0-i386.tar.gz
ZendOptimizer-1.1.0-php_4.0.5-linux_glibc21-i386.tar.gz
Zendoptimizer-1.1.0-php_4.0.5-Solaris-sparc.tar.gz
ZendOptimizer-1.1.0-php_4.0.5-windows-i386.zip
The installation of the optimizer is very convenient, and there are detailed descriptions in the bag. Taking the UNIX version as an example, see the operating system, extract the ZendOptimizer.so file in the package to a directory, assume that it is / usr / local / lib, plus two sentences in PHP.ini:
Zend_Optimizer.optimization_level = 15
Zend_extension = "/ usr / local / lib / zendoptimizer.so" is OK. Use phpinfo () to see the zend icon on the left side of the following text:
With Zend Optimizer V1.1.0, Copyright © 1998-2000, by Zend Technologies
Then, the optimizer has been successfully histed.
But the compiler Zendencode is not free. Here is the compiler shell for Ma Yong design of http://www.phpese.com, if used for commercial purposes, please contact http://www.zend.com A license agreement. After the PHP script is compiled, the execution speed of the script has increased, and the script file can only see a bunch of garbled, which will prevent attackers from further analysis of services.
The script on the instructor, and the password stored in the PHP script is also confidential, such as the password of MySQL. However, it is more troublesome to change the script in the server, or it is local to change it.
5, permission settings for files and directories
In addition to the upload directory, other directories and files in the web directory must not allow Nobody users to write permissions. Otherwise, an attacker can modify the homepage file, so the permissions of the web directory must be set.
Also, the host of the PHP script must not be root, because the function of the SAFE_Mode is limited to the primary owner of the read file must be read, otherwise if the error is displayed An error such as the following:
Warning: Safe Mode Restriction In Effect. The Script Whose Uid IS 500 IS Not
ALLOWED to Access / etc / passwd Owned by Uid 0 in /usr/local/apache/htdocs/open.php
Online 3
This way we can prevent many system files from being read, such as: / etc / passwd, etc.
The last list of the upload directory and the top of the script also wants to set it, otherwise the error will occur, which should be noted in Safe_Mode.
6, MySQL start permission settings
MySQL should pay attention to do not start with root, it is best to build a mysqladm user. You can start the script in /tc/rc.local and so on:
Su mysqladm -c "/usr/local/mysql/share/mysql/mysql.server start"
This will automatically start the MySQL process with the mysqladmin user after the system is restarted.
7. Audit of log files and uploading a directory and
Viewing the logs and people's inertness is a big relationship, and you have to look up from the big log file Some big sea compass, and it is not there.
The files in the directory uploaded by the web should also be checked, maybe there is a problem, the user passes some illegal files, such as executing scripts.
8, the operating system itself
Like, patch giving a known vulnerability to the system is the most basic responsibility of the system administrator, which is the last line of defense.
After the above configuration, although it is not enough golden soup, it is also a lot of trouble to attract attackers, even if the PHP script has a more serious vulnerability, the attacker cannot cause the actual damage.
If you have more weird, more variable configuration methods, I hope to share sharing together;)
