Part 8: Harden php
A majority of php vulnerabilities occur in code. However, as the system administrator you can take some precautions without, essentially, fixing bugs in the code.
vim /usr/local/lib/php.ini safe_mode = On safe_mode_gid = On safe_mode_include_dir safe_mode_exec_dir open_basedir #targets PHP operations to this directory and below disable_functions #disable all functions you don't need allow_url_fopen = Off allow_url_include = Off file_uploads = Off #if needed: upload_tmp_dir = /var/php_tmp upload_max_filezize = 2M session.cookie_httponly = 1 session.referer_check = website.com expose_php = off
If you do have access to the code:
– Analyze all built-in function calls for necessity. You might want to leverage disable_functions() and disable_classes().
– Check if you have SQL queries without first: escapeshellarg(), escapeshellcmd(), htmlentities(), and strip_tags().
– Consider utilizing suhosin hardened php instead of php.
2) Although this page will grow with time, by no means is this a definitive list. Please perform further research.