Strengthen the security of PHP by configuring some server-side features of PHP_PHP Tutorial

Strengthen the security of PHP by configuring some server-side features of PHP

by san@xfocus.org

Shaun Clowes and rfp have introduced the programming of PHP and CGI programs in more detail The problems encountered during the process, and how to break through the system through
application vulnerabilities, in this article we will strengthen the security of PHP by configuring some server-side features of PHP. When writing
cgi scripts, we must pay attention to various security issues and strictly filter user input. However, how can we walk on the shore without getting wet shoes
or eat sesame seeds without losing sesame seeds? Even famous programs such as phpnuke and phpMyAdmin have experienced serious
problems, let alone scripts written by punks like me. So now we assume that serious problems have occurred in php scripts. For example, a while ago,
phpnuke had a big problem with being able to upload php scripts. How can we configure the server to prevent such problems in the script and not break through the
system.

1. Pay attention to patching known vulnerabilities when compiling
Starting from 4.0.5, PHP’s mail function has added a fifth parameter, but it is not filtered properly, so that PHP applications can Break through the restrictions of
safe_mode and execute commands. Therefore, when using 4.0.5 and 4.0.6, we need to modify the
ext/standard/mail.c file in the php source code package before compilation to disable the fifth parameter of the mail function or filter shell characters. In the mail.c file, line 152
, which is the following line:
if (extra_cmd != NULL) {
 followed by extra_cmd=NULL; or extra_cmd = php_escape_shell_cmd(extra_cmd) ;Then compile php
 Then we will fix this vulnerability.

2. Modify the php.ini configuration file
Make modifications based on the php.ini-dist of the PHP distribution version.
1)Error handling and logging
You can make some settings in the Error handling and logging section. First find:
display_errors = On
php turns on error message display by default, we change it to:
display_errors = Off
After turning off error display, PHP function execution error information will no longer be displayed to the user. This can prevent attackers from knowing the physical location of the script and some other useful information from the
error message, at least to the attacker. Black box detection causes certain obstacles
. These error messages may be useful to ourselves. We can let it be written to the specified file, then modify the following:
log_errors = Off
Change to:
log_errors = On
And the specified file, find the following line:
;error_log = filename
Remove the previous; comment, and change filename to the specified file, such as /usr/local/apache/logs/php_error. log
error_log = /usr/local/apache/logs/php_error.log
In this way, all errors will be written to the php_error.log file.
2)Safe Mode
PHP’s safe_mode function limits or disables many functions, which can solve PHP security issues to a great extent. Find in the
Safe Mode section:
safe_mode = Off
Changed to:
safe_mode = On
This turns on the safe_mode function. Some functions such as shell_exec() and `` that can execute system commands are prohibited, and other execution functions such as: exec(), system(), passthru(), popen() will be restricted. Execute the program in the directory specified by
safe_mode_exec_dir. If you really want to execute some commands or programs, find the following:
safe_mode_exec_dir =
Specify the path of the program to be executed, such as:
safe_mode_exec_dir = /usr/local/php/ exec
Then copy the program to be used to the /usr/local/php/exec directory, so that the restricted functions like the above can also execute the programs in the directory
.
For detailed information about restricted functions in safe mode, please see the instructions on the main php site:
http://www.php.net/manual/en/features.safe-mode.php
3) disable_functions
If you are not clear about the harmfulness of some functions and do not use them, simply disable these functions. Find the following line:
disable_functions =
Add the function to be disabled after "=", and separate multiple functions with ",".

3. Modify httpd.conf
If you only allow your php script program to operate in the web directory, you can also modify the httpd.conf file to limit the operation path of php.For example
If your web directory is /usr/local/apache/htdocs, then add these lines to httpd.conf:

php_admin_value open_basedir /usr/local/apache/htdocs

In this way, if the script wants to read files other than /usr/local/apache/htdocs, it will not be allowed. If the error display is turned on
 an error like this will be prompted:
Warning: open_basedir restriction in effect. File is in wrong directory in
/usr/local/apache/htdocs/open.php on line 4
Wait.

4. Compile PHP code
Zend has made a great contribution to PHP. The engine of PHP4 is based on Zend, and it has also developed ZendOptimizer and ZendEncode
and many other PHP enhancements components. The optimizer ZendOptimizer can be obtained for free by just registering at http://www.zend.com.
The following are ZendOptimizers for 4.0.5 and 4.0.6. The file names are for their respective systems:
ZendOptimizer-1.1.0-PHP_4.0.5-FreeBSD4.0-i386.tar.gz
ZendOptimizer-1.1.0-PHP_4.0.5-Linux_glibc21-i386.tar.gz
ZendOptimizer-1.1 .0-PHP_4.0.5-Solaris-sparc.tar.gz
ZendOptimizer-1.1.0-PHP_4.0.5-Windows-i386.zip
The installation of the optimizer is very convenient, and there are detailed instructions in the package illustrate. Taking the UNIX version as an example, check the operating system clearly and extract the
ZendOptimizer.so file in the package to a directory, assuming it is under /usr/local/lib. Add two sentences to php.ini:
zend_optimizer.optimization_level=15
zend_extension="/usr/local/lib/ZendOptimizer.so"
That’s it. Use phpinfo() to see the following text on the left side of the Zend icon:
with Zend Optimizer v1.1.0, Copyright (c) 1998-2000, by Zend Technologies
Then, the optimizer has been successfully mounted.
However, the compiler ZendEncode is not free. Here is a compiler shell designed by Ma Yong of http://www.PHPease.com.
If it is used for commercial purposes, please contact http: Contact //www.zend.com to obtain a license agreement.
After the PHP script is compiled, the execution speed of the script increases a lot. The script file can only see a bunch of garbled characters, which will prevent attackers from further analyzing the script program on the server.
The script was originally written in PHP Passwords stored in clear text in the script are also kept confidential, such as mysql passwords. However, it is more troublesome to modify the script on the server
. It is better to modify it locally and then upload it.

5. Permission settings for files and directories
Except for the upload directory, the permissions for other directories and files in the web directory must not allow the nobody user to have write permissions. Otherwise, the attacker can
modify the home page file, so the permissions of the web directory must be set properly.
Also, the owner of the php script must not be root, because the function of reading files in safe_mode is restricted to the owner of the read file must be
The owner of the currently executing script can be the same. Read, otherwise if error display is turned on, errors such as the following will be displayed:
Warning: SAFE MODE Restriction in effect. The script whose uid is 500 is not
allowed to access /etc/passwd owned by uid 0 in /usr/local/apache/htdocs/open.php
on line 3
In this way we can prevent many system files from being read, such as: /etc/passwd, etc.
The owners of the upload directory and the upload script must also be set to the same, otherwise errors will occur. Please pay attention to these in safe_mode.

6. Mysql startup permission settings
Mysql should be noted not to be started with root. It is best to create another mysqladm user. You can add a sentence to the startup script of systems such as /etc/rc.local:
su mysqladm -c "/usr/local/mysql/share/mysql/mysql.server start"
This way After the system restarts, the mysql process will be automatically started as the mysqladmin user.

7. Review of log files and upload directories
Viewing logs has a lot to do with human laziness. Finding traces of attacks from such a large log file is like looking for a needle in a haystack, and there may not be one.
The files in the directory uploaded by the web should also be checked frequently. There may be a problem with the program and the user has uploaded some illegal files, such as execution scripts
Scripts, etc.

8. Patches of the operating system itself
Similarly, patching known vulnerabilities in the system is the most basic responsibility of the system administrator, and it is also the last line of defense.

After the above configuration, although it cannot be said to be impregnable, it has also caused a lot of trouble for the attacker's testing to a considerable extent. Even if the php script program
has a serious vulnerability, the attacker cannot cause it Actual destruction.
If you have any weirder or more perverted configuration methods, I hope you can share them;) (Source: viphot)

http://www.bkjia.com/PHPjc/314471.htmlwww.bkjia.comtruehttp: //www.bkjia.com/PHPjc/314471.htmlTechArticleEnhance the security of PHP by configuring some server-side features of PHP by san@xfocus.org Like Shaun Clowes and rfp and others have introduced in detail the problems encountered in the programming process of php and cgi programs...