Difference between revisions of "PHP Configuration Cheat Sheet"

From OWASP
Jump to: navigation, search
(php.ini)
(Authors and Primary Editors)
 
(7 intermediate revisions by 2 users not shown)
Line 2: Line 2:
 
= Introduction  =
 
= Introduction  =
  
This page intends to provide quick basic PHP security tips for administrators (and developers, if applicable). Keep in mind that tips mentioned in this page are not enough for securing your PHP web application.
+
This page is part of the [[PHP Security Cheat Sheet]], for developers and administrators. It describes secure configuration of PHP and its platform.
 +
====<center>..: Work in Progress :..</center>====
 +
----
  
 +
=Web Server Configuration=
 +
==Apache==
 +
===suPHP===
 +
[http://suphp.org suPHP] makes every php script run as its file owner. This way you are allowed to upload and modify files in your folders without needing to '''chmod 777''' any folder, which is very bad security practice and will let to your files be compromised easily. Install and configure it on your web server.
  
=Configuration and Deployment=
+
=PHP Configuration and Deployment=
 
==suhosin==
 
==suhosin==
Consider using Stefan Esser's <u>[[http://www.hardened-php.net/suhosin/index.html Hardened PHP patch]]</u> .
+
Consider using [http://www.hardened-php.net/suhosin/index.html Suhosin] (Stefan Esser's [Hardened PHP patch]) if you want to patch many custom security flaws in various parts of PHP.  
 
+
==suPHP==
+
{{TBD:}}
+
  
 
==php.ini==
 
==php.ini==
Note that some of following settings need to be adapted to your system, in particular <code>/path/</code> and <code>/application/</code>. Also read the [http://www.php.net/manual/ini.core.php PHP Manual] according dependencies of some settings.
+
Note that some of following settings need to be adapted to your system, in particular <code style="background:#ddd">/path/</code> and <code style="background:#ddd">/application/</code>. Also read the [http://www.php.net/manual/ini.core.php PHP Manual] according dependencies of some settings.
  
  
Line 23: Line 26:
 
   display_startup_errors  = Off
 
   display_startup_errors  = Off
 
   log_errors              = On
 
   log_errors              = On
   error_log              = /path/PHP-logs/php_error.log
+
   error_log              = /valid_path/PHP-logs/php_error.log
 
   ignore_repeated_errors  = Off
 
   ignore_repeated_errors  = Off
 +
 +
 +
Keep in mind that you need to have display_errors off on a production server and it's a good idea to frequently notice the logs.
  
 
====PHP general settings====
 
====PHP general settings====
Line 36: Line 42:
 
   variables_order        = "GPSE"
 
   variables_order        = "GPSE"
 
   allow_webdav_methods    = Off
 
   allow_webdav_methods    = Off
 +
 +
 +
Allow_url_* prevents LFIs to be easily escalated to RFIs.
  
 
====PHP file upload handling====
 
====PHP file upload handling====
   file_uploads            = Off
+
   file_uploads            = On
 
   upload_tmp_dir          = /path/PHP-uploads/
 
   upload_tmp_dir          = /path/PHP-uploads/
  upload_max_filesize    = 1M  # NOTE: more or less useless as first handled by the web server
 
 
   max_file_uploads        = 2
 
   max_file_uploads        = 2
 +
 +
It's a good idea to turn it off, if your application is not using file uploads.
  
 
====PHP executable handling====
 
====PHP executable handling====
Line 49: Line 59:
 
   disable_functions      = chdir, mkdir, rmdir, chmod, rename
 
   disable_functions      = chdir, mkdir, rmdir, chmod, rename
 
   disable_functions      = filepro, filepro_rowcount, filepro_retrieve, posix_mkfifo
 
   disable_functions      = filepro, filepro_rowcount, filepro_retrieve, posix_mkfifo
     # see also: http://de3.php.net/features.safe-mode
+
     # see also: http://ir.php.net/features.safe-mode
 
   disable_classes        =  
 
   disable_classes        =  
 +
 +
These are dangerous PHP functions. You should disable all that you don't use.
  
 
====PHP session handling====
 
====PHP session handling====
Line 60: Line 72:
 
   session.use_trans_sid  = 0
 
   session.use_trans_sid  = 0
 
   session.cookie_domain  = full.qualified.domain.name
 
   session.cookie_domain  = full.qualified.domain.name
   session.cookie_path    = /application/path/
+
   #session.cookie_path    = /application/path/
 
   session.cookie_lifetime = 0
 
   session.cookie_lifetime = 0
 
   session.cookie_secure  = On
 
   session.cookie_secure  = On
Line 67: Line 79:
 
   session.cache_expire    = 30
 
   session.cache_expire    = 30
 
   default_socket_timeout  = 60
 
   default_socket_timeout  = 60
 +
 +
It is a good practice to change session.name to something new.
  
 
====some more security paranoid checks====
 
====some more security paranoid checks====
 
   session.referer_check  = /application/path
 
   session.referer_check  = /application/path
   memory_limit            = 2M
+
   memory_limit            = 32M
   post_max_size          = 2M
+
   post_max_size          = 32M
   mx_execution_time       = 9
+
   max_execution_time       = 60
 
   report_memleaks        = On
 
   report_memleaks        = On
 
   track_errors            = Off
 
   track_errors            = Off
 
   html_errors            = Off
 
   html_errors            = Off
 
====old, depricated====
 
Use these configurations in older PHP versions if necessary.
 
  register_globals        = Off
 
  gpc_order              = "GP"
 
  magic_quotes_gpc        = On
 
  safe_mode              = On
 
  safe_mode_include_dir  = /path/PHP-include
 
  safe_mode_exec_dir      = /path/PHP-executable
 
  safe_mode_allowed_env_vars  = PHP_
 
  safe_mode_protected_env_vars = SHELL, IFS, PATH, HOME, USER, TZ, TMP, TMPDIR, LANG,
 
  safe_mode_protected_env_vars = LD_LIBRARY_PATH, LD_PRELOAD, SHLIB_PATH, LIBPATH
 
  
 
====PHP Database Settings====
 
====PHP Database Settings====
Line 108: Line 110:
  
 
[[User:Achim|Achim]] Hoffmann - [mailto:achim_at_owasp.org Achim at owasp.org]
 
[[User:Achim|Achim]] Hoffmann - [mailto:achim_at_owasp.org Achim at owasp.org]
 +
 +
--[[User:Abbas Naderi|AbiusX]] [mailto:abbas.naderi@owasp.org email]
  
 
--[[User:Achim|Achim]], 30. November 2012
 
--[[User:Achim|Achim]], 30. November 2012

Latest revision as of 15:36, 30 November 2012

Contents

Introduction

This page is part of the PHP Security Cheat Sheet, for developers and administrators. It describes secure configuration of PHP and its platform.

..: Work in Progress :..


Web Server Configuration

Apache

suPHP

suPHP makes every php script run as its file owner. This way you are allowed to upload and modify files in your folders without needing to chmod 777 any folder, which is very bad security practice and will let to your files be compromised easily. Install and configure it on your web server.

PHP Configuration and Deployment

suhosin

Consider using Suhosin (Stefan Esser's [Hardened PHP patch]) if you want to patch many custom security flaws in various parts of PHP.

php.ini

Note that some of following settings need to be adapted to your system, in particular /path/ and /application/. Also read the PHP Manual according dependencies of some settings.


PHP error handlling

 expose_php              = Off
 error_reporting         = E_ALL
 display_errors          = Off
 display_startup_errors  = Off
 log_errors              = On
 error_log               = /valid_path/PHP-logs/php_error.log
 ignore_repeated_errors  = Off


Keep in mind that you need to have display_errors off on a production server and it's a good idea to frequently notice the logs.

PHP general settings

 doc_root                = /path/DocumentRoot/PHP-scripts/
 open_basedir            = /path/DocumentRoot/PHP-scripts/
 include_path            = /path/PHP-pear/
 extension_dir           = /path/PHP-extensions/
 mime_magic.magicfile 	  = /path/PHP-magic.mime
 allow_url_fopen         = Off
 allow_url_include       = Off
 variables_order         = "GPSE"
 allow_webdav_methods    = Off


Allow_url_* prevents LFIs to be easily escalated to RFIs.

PHP file upload handling

 file_uploads            = On
 upload_tmp_dir          = /path/PHP-uploads/
 max_file_uploads        = 2

It's a good idea to turn it off, if your application is not using file uploads.

PHP executable handling

 enable_dl               = On
 disable_functions       = system, exec, shell_exec, passthru, phpinfo, show_source, popen, proc_open
 disable_functions       = fopen_with_path, dbmopen, dbase_open, putenv, move_uploaded_file
 disable_functions       = chdir, mkdir, rmdir, chmod, rename
 disable_functions       = filepro, filepro_rowcount, filepro_retrieve, posix_mkfifo
   # see also: http://ir.php.net/features.safe-mode
 disable_classes         = 

These are dangerous PHP functions. You should disable all that you don't use.

PHP session handling

 session.auto_start      = Off
 session.save_path       = /path/PHP-session/
 session.name            = myPHPSESSID
 session.hash_function   = 1
 session.hash_bits_per_character = 6
 session.use_trans_sid   = 0
 session.cookie_domain   = full.qualified.domain.name
 #session.cookie_path     = /application/path/
 session.cookie_lifetime = 0
 session.cookie_secure   = On
 session.cookie_httponly = 1
 session.use_only_cookies= 1
 session.cache_expire    = 30
 default_socket_timeout  = 60

It is a good practice to change session.name to something new.

some more security paranoid checks

 session.referer_check   = /application/path
 memory_limit            = 32M
 post_max_size           = 32M
 max_execution_time       = 60
 report_memleaks         = On
 track_errors            = Off
 html_errors             = Off

PHP Database Settings

Template:TBD: database sesttings should be done in web server's configuration (i.e. httpd.conf)

PHP Database User

Template:TBD: explain pros&cons what to set in php.ini and/or httpd.conf and/or registry

PHP Windows specific Settings

Template:TBD:

PHP Extension

Template:TBD:

Related Cheat Sheets

PHP_Security_Cheat_Sheet

Authors and Primary Editors

Achim Hoffmann - Achim at owasp.org

--AbiusX email

--Achim, 30. November 2012

Other Cheatsheets

OWASP Cheat Sheets Project Homepage

Developer Cheat Sheets (Builder)

Assessment Cheat Sheets (Breaker)

Mobile Cheat Sheets

OpSec Cheat Sheets (Defender)

Draft Cheat Sheets