PHP Configuration Cheat Sheet

From OWASP
Revision as of 07:57, 30 November 2012 by Achim (Talk | contribs)

Jump to: navigation, search

Contents

Introduction

This page intends to provide quick basic PHP security tips for administrators (and developers, if applicable). Keep in mind that tips mentioned in this page are not enough for securing your PHP web application.


Configuration and Deployment

suhosin

Consider using Stefan Esser's [Hardened PHP patch] .

suPHP

Template:TBD:

php.ini

Note that some of following settings need to be adapted to your system. Also read the PHP Manual according dependencies of some settings.

PHP error handlling

 expose_php              = Off
 error_reporting         = E_ALL
 display_errors          = Off
 display_startup_errors  = Off
 log_errors              = On
 error_log               = /path/PHP-logs/php_error.log
 ignore_repeated_errors  = Off

PHP general settings

 doc_root                = /path/DocumentRoot/PHP-scripts/
 open_basedir            = /path/DocumentRoot/PHP-scripts/
 include_path            = /path/PHP-pear/
 extension_dir           = /path/PHP-extensions/
 mime_magic.magicfile 	  = /path/PHP-magic.mime
 allow_url_fopen         = Off
 allow_url_include       = Off
 variables_order         = "GPSE"
 allow_webdav_methods    = Off

PHP file upload handling

 file_uploads            = Off
 upload_tmp_dir          = /path/PHP-uploads/
 upload_max_filesize     = 1M   # NOTE: more or less useless as first handled by the web server
 max_file_uploads        = 2

PHP executable handling

 enable_dl               = On
 disable_functions       = system, exec, shell_exec, passthru, phpinfo, show_source, popen, proc_open
 disable_functions       = fopen_with_path, dbmopen, dbase_open, putenv, move_uploaded_file
 disable_functions       = chdir, mkdir, rmdir, chmod, rename
 disable_functions       = filepro, filepro_rowcount, filepro_retrieve, posix_mkfifo
   # see also: http://de3.php.net/features.safe-mode
 disable_classes         = 

PHP session handling

 session.auto_start      = Off
 session.save_path       = /path/PHP-session/
 session.name            = myPHPSESSID
 session.hash_function   = 1
 session.hash_bits_per_character = 6
 session.use_trans_sid   = 0
 session.cookie_domain   = full.qualified.domain.name
 session.cookie_path     = /application/path/
 session.cookie_lifetime = 0
 session.cookie_secure   = On
 session.cookie_httponly = 1
 session.use_only_cookies= 1
 session.cache_expire    = 30
 default_socket_timeout  = 60

some more security paranoid checks

 session.referer_check   = /application/path
 memory_limit            = 2M
 post_max_size           = 2M
 mx_execution_time       = 9
 report_memleaks         = On
 track_errors            = Off
 html_errors             = Off

old, depricated

Use these configurations in older PHP versions if necessary.

 register_globals        = Off
 gpc_order               = "GP"
 magic_quotes_gpc        = On
 safe_mode               = On
 safe_mode_include_dir   = /path/PHP-include
 safe_mode_exec_dir      = /path/PHP-executable
 safe_mode_allowed_env_vars   = PHP_
 safe_mode_protected_env_vars = SHELL, IFS, PATH, HOME, USER, TZ, TMP, TMPDIR, LANG, LD_LIBRARY_PATH, LD_PRELOAD, SHLIB_PATH, LIBPATH

Database Settings

Template:TBD: database sesttings should be done in web server's configuration (i.e. httpd.conf)

Database User

Template:TBD: explain pros&cons what to set in php.ini and/or httpd.conf and/or registry

Session Management

Template:TBD:

Related Cheat Sheets

PHP_Security_Cheat_Sheet

Authors and Primary Editors

Achim Hoffmann - Achim at owasp.org

--Achim, 30 November 2012

Other Cheatsheets

OWASP Cheat Sheets Project Homepage

Developer Cheat Sheets (Builder)

Assessment Cheat Sheets (Breaker)

Mobile Cheat Sheets

OpSec Cheat Sheets (Defender)

Draft Cheat Sheets