Zulus Tips

PHP is one of most popular programming languages for Web. A lot of applications developed using PHP, but very small percent of PHP programmers write quality and secure code. As result about 70-80% of hacks done via PHP applications (forums, blogs, albums, etc). So, how can you secure your server? There is no 100% recipe, but i have some tips what can help you.

First of all we need forbid access to any files outside document_root. Following string must be added to every virtual host section inside apache configuration file:

php_admin_value doc_root /path/to/user/doc_root/
php_admin_value open_basedir /path/to/user/doc_root/
php_admin_value upload_tmp_dir /path/to/user/tmp
php_admin_value session.save_path /path/to/user/tmp

Now you need change some values in your php.ini file.

1. expose_php must be Off
2. display_errors must be Off
3. log_errors must be On
4. allow_url_fopen must be Off
5. file_uploads must be Off

Also a good idea to disable some potential unsecure functions. You need add all following functions to disable_functions directive: phpinfo, popen, dl, passthru, system, exec, proc_open, shell_exec, proc_close, symlink, ini_get_all, ini_get

Please note, what some of this functions can be required by some software installed on you server, so you need check apache error_log and allow required functions. Do not forget to restart apache after all changes ;-)

This entry was posted on Monday, December 11th, 2006 at 1:47 am and is filed under PHP, Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.