Part 8: Harden php

A majority of php vulnerabilities occur in code. However, as the system administrator you can take some precautions without, essentially, fixing bugs in the code.

vim /usr/local/lib/php.ini

safe_mode = On
safe_mode_gid = On
open_basedir #targets PHP operations to this directory and below
disable_functions #disable all functions you don't need
allow_url_fopen = Off
allow_url_include = Off
file_uploads = Off
#if needed:
upload_tmp_dir = /var/php_tmp
upload_max_filezize = 2M
session.cookie_httponly = 1
session.referer_check =
expose_php = off

If you do have access to the code:
– Analyze all built-in function calls for necessity. You might want to leverage disable_functions() and disable_classes().
– Check if you have SQL queries without first: escapeshellarg(), escapeshellcmd(), htmlentities(), and strip_tags().
– Consider utilizing suhosin hardened php instead of php.

2) Although this page will grow with time, by no means is this a definitive list. Please perform further research.

  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: