Differences
This shows you the differences between two versions of the page.
php_security [2011/11/22 10:22] |
php_security [2011/11/22 10:22] (current) |
||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== PHP Security ====== | ||
+ | |||
+ | * [[PHP]] | ||
+ | * [[PHP Suhosin]] | ||
+ | * [[http://us.php.net/manual/en/configuration.changes.modes.php|Where a configuration setting may be set]] | ||
+ | * [[http://us.php.net/manual/en/ini.list.php|List of php.ini directives]] | ||
+ | * [[http://stackoverflow.com/questions/5081025/php-session-fixation-hijacking|PHP Session Hijacking]] | ||
+ | |||
+ | === PHP Configuration Overrides === | ||
+ | |||
+ | ^ Mode ^ Meaning ^ | ||
+ | | PHP_INI_USER | Entry can be set in user scripts (like with ini_set()) | | ||
+ | | PHP_INI_PERDIR | Entry can be set in php.ini, .htaccess or httpd.conf | | ||
+ | | PHP_INI_SYSTEM | Entry can be set in php.ini or httpd.conf | | ||
+ | | PHP_INI_ALL | Entry can be set anywhere | | ||
+ | |||
+ | === Configuration Settings === | ||
+ | |||
+ | == open_basedir == | ||
+ | |||
+ | * [[http://us.php.net/manual/en/ini.core.php#ini.open-basedir|description]] | ||
+ | |||
+ | Limits all file operations to the defined directory and below. This directive makes most sense if used in a per-directory or per-virtualhost web server configuration file. | ||
+ | |||
+ | * Default: Off | ||
+ | * Recommended: webroot | ||
+ | * Changeable: PHP_INI_ALL | ||
+ | * Syntax: "/var/www:/usr/share/php" | ||
+ | |||
+ | Also it is prudent to disable symlink() function | ||
+ | |||
+ | == disable_functions == | ||
+ | |||
+ | * [[http://us.php.net/manual/en/ini.core.php#ini.disable-functions|description]] | ||
+ | |||
+ | Disable certain PHP functions from executing. Will throw a security warning error when they are used in code. | ||
+ | |||
+ | * Default: None | ||
+ | * Recommended: filesystem functions, system executable functions, phpinfo, etc. | ||
+ | * Changeable: php.ini only | ||
+ | * Syntax: "eval,file_get_contents" | ||
+ | |||
+ | == expose_php == | ||
+ | |||
+ | * [[http://us.php.net/manual/en/ini.core.php#ini.expose-php|description]] | ||
+ | |||
+ | Adds a header to the HTTP response detailing the PHP version used. | ||
+ | |||
+ | * Default: Enabled | ||
+ | * Recommended: Disabled | ||
+ | * Changeable: php.ini only | ||
+ | |||
+ | == display_errors == | ||
+ | |||
+ | * [[http://us.php.net/manual/en/errorfunc.configuration.php#ini.display-errors|description]] | ||
+ | |||
+ | Includes error output with script execution. | ||
+ | |||
+ | * Default: Enabled | ||
+ | * Recommended: Disabled on production servers | ||
+ | * Changeable: PHP_INI_ALL | ||
+ | |||
+ | == html_errors == | ||
+ | |||
+ | * [[http://us.php.net/manual/en/errorfunc.configuration.php#ini.html-errors|description]] | ||
+ | |||
+ | Displays errors with HTML tags | ||
+ | |||
+ | * Default: Enabled | ||
+ | * Recommended: Disabled on production servers | ||
+ | * Changeable: PHP_INI_ALL | ||
+ | |||
+ | == post_max_size == | ||
+ | |||
+ | * [[http://us.php.net/manual/en/ini.core.php#ini.post-max-size|description]] | ||
+ | |||
+ | Maximum size of POST data that PHP will accept. | ||
+ | |||
+ | * Default: 8M | ||
+ | * Recommended: Low as necessary to avoid denial of service. | ||
+ | * Changeable: PHP_INI_PERDIR | ||
+ | |||
+ | == enable_dl == | ||
+ | |||
+ | * [[http://us.php.net/manual/en/info.configuration.php#ini.enable-dl|description]] | ||
+ | |||
+ | Allows loading external PHP modules | ||
+ | |||
+ | * Default: Enabled | ||
+ | * Recommended: Disabled | ||
+ | * Changeable: PHP_INI_SYSTEM | ||
+ | |||
+ | == file_uploads == | ||
+ | |||
+ | * [[http://us.php.net/manual/en/ini.core.php#ini.file-uploads|file_uploads]] | ||
+ | |||
+ | Allows uploading files. | ||
+ | |||
+ | * Default: Enabled | ||
+ | * Recommended: Disable if not being used | ||
+ | * Changeable: PHP_INI_SYSTEM | ||
+ | |||
+ | == upload_max_filesize == | ||
+ | |||
+ | The max filesize of an uploaded file. | ||
+ | |||
+ | * [[http://us.php.net/manual/en/ini.core.php#ini.upload-max-filesize|description]] | ||
+ | |||
+ | * Default: 2M | ||
+ | * Recommended: As large as needed for production, keep small otherwise to prevent denial of service. | ||
+ | * Changeable: PHP_INI_PERDIR | ||
+ | |||
+ | == max_file_uploads == | ||
+ | |||
+ | * [[http://us.php.net/manual/en/ini.core.php#ini.max-file-uploads|description]] | ||
+ | |||
+ | Maximum number of files that can be uploaded via a single request. | ||
+ | |||
+ | * Default: 20 | ||
+ | * Recommended: Lower value | ||
+ | * Changeable: PHP_INI_SYSTEM | ||
+ | |||
+ | == allow_url_fopen == | ||
+ | |||
+ | * [[http://us.php.net/manual/en/filesystem.configuration.php#ini.allow-url-fopen|description]] | ||
+ | |||
+ | Whether to allow the treatment of URLs (like http:// or ftp://) as files. | ||
+ | |||
+ | * Default: Off | ||
+ | * Recommended: Off | ||
+ | * Changeable: PHP_INI_SYSTEM (Appendix says PHP_INI_ALL, which is wrong) | ||
+ | |||
+ | == allow_url_include == | ||
+ | |||
+ | * [[http://us.php.net/manual/en/filesystem.configuration.php#ini.allow-url-include|description]] | ||
+ | |||
+ | Whether to allow include/require to open URLs (like http:// or ftp://) as files. | ||
+ | |||
+ | * Default: Off | ||
+ | * Recommended: Off | ||
+ | * Changeable: PHP_INI_ALL | ||
+ | |||
+ | == session.use_only_cookies == | ||
+ | |||
+ | * [[http://us.php.net/manual/en/session.configuration.php#ini.session.use-only-cookies|description]] | ||
+ | |||
+ | This option enables administrators to make their users invulnerable to attacks which involve passing session ids in URLs | ||
+ | |||
+ | * [[http://www.php.net/manual/en/session.security.php|Sessions and security]] | ||
+ | |||
+ | * Default: Off | ||
+ | * Recommended: On for sites that store secure data in session, but requires cookies to be set in browser | ||
+ | * Changeable: PHP_INI_ALL | ||
+ | |||
+ | == session.cookie_httponly == | ||
+ | |||
+ | * [[http://us.php.net/manual/en/session.configuration.php#ini.session.cookie-httponly|description]] | ||
+ | |||
+ | Whether or not to add the httpOnly flag to the cookie, which makes it inaccessible to browser scripting languages such as JavaScript. | ||
+ | |||
+ | * Default: Off | ||
+ | * Recommended: On for sites unless they use JavaScript to access session data (likely rare) | ||
+ | * Changeable: PHP_INI_ALL | ||
+ | |||
+ | == session.hash_function == | ||
+ | |||
+ | * [[http://us.php.net/manual/en/session.configuration.php#ini.session.hash-function|description]] | ||
+ | |||
+ | Allows you to specify the hash algorithm used to generate the session IDs. '0' means MD5 (128 bits) and '1' means SHA-1 (160 bits). | ||
+ | |||
+ | * Default: MD5 | ||
+ | * Recommended: SHA1 | ||
+ | * Changeable: PHP_INI_ALL | ||
+ | |||