Hardening PHP Security: A PHP developer needs to secure the website in two layers. One is application and the second one is a server. You will have to identify the weakest link to start. A mantra is, we should not trust anything including current server/application configuration and most importantly user data.
Why Attack Happens:
1- Theft of other’s session
2- Reduce the website credibility
3- Stealing visitor information and browsing habits
4- Information stored in the database
5- Deny user access to website resources
6- Spreading malicious code by injecting the code in the user’s computer.
To overcome this problem, below are some security hack A PHP developer can add in the php.ini file.
1- Prevent Information Disclosure:
display_error = off //syntax
You can make it ‘on’ only on the Development environment. It should be ‘off’ in the production environment. An attacker can use this to get valuable information about your file system. An attacker can understand your code, framework used and vulnerability by seeing the error message on the server.
2- Disable Globals
register_globals = off //syntax
To understand this first, we need to understand the global variable in PHP. PHP global variable is those variables which can be accessed from anywhere regardless of the scope. It could be accessible from any PHP file without including any other file.
Think about a scenario where register global is on. Assume that in system there is a session variable $_SESSION[‘user_id’].
If the register globals is on, a hacker can access the variable directly without obtaining the $_SESSION[‘user_id’]. A hacker can also get user session only by injecting $user_id in the code and this way a hacker can override global variable.
3- Disable Remote File Includes.
allow_url_fopen = off //syntax
allow_url_include = off //syntax
A large number of code injection vulnerabilities reported in PHP-based web applications is due to enabling allow_url_fopen and bad input filtering.
Consider a PHP file named index.php which has following code.
$icnludeFile = $_GET[‘file_name’]
In this case, if no input validation is in place, Hacker can exploit this vulnerability by running the URL
Disable PHP execution in a directory where the user uploads the file:
Here the user can add two layers of security (Client/Server).
1- check the file extension on the client side.
2- check the file extension and size on the server side.
3- We can restrict the user to upload the executable file using the htaccess
php_flag engine off
php_flag engine off
order deny, allow
deny from all
Http Only Cookie: We can restrict access of cookie to the client browser by using HTTP only cookie flag.
session.cookie_httponly = 1 //syntax
Above can also set by below PHP function.
But in above case developer can forget to set httponly =1. It is better to have a server side setting in php.ini instead of trusting the developer every time while he is setting the PHP cookie.
Session Save Path: Session save path on the server should not be something like that hacker can directly access it.
It would be something Like session.save_path = /var/lib/php
Disable Unnecessary Functions:
PHP includes many functions that you will likely never need to use. However, they could be very helpful to hackers, disabling them likely will not affect your site, but will help make the hacker’s job much more difficult.
disable_functions = php_uname, getmyuid, getmypid, passthru, leak, listen, diskfreespace,
tmpfile, link, ignore_user_abord, shell_exec, dl, set_time_limit, exec, system, highlight_file,
source, show_source, fpaththru, virtual, posix_ctermid, posix_getcwd, posix_getegid,
posix_geteuid, posix_getgid, posix_getgrgid, posix_getgrnam, posix_getgroups, posix_getlogin,
posix_getpgid, posix_getpgrp, posix_getpid, posix, _getppid, posix_getpwnam, posix_getpwuid,
posix_getrlimit, posix_getsid, posix_getuid, posix_isatty, posix_kill, posix_mkfifo,
posix_setegid, posix_seteuid, posix_setgid, posix_setpgid, posix_setsid, posix_setuid,
posix_times, posix_ttyname, posix_uname, proc_open, proc_close, proc_get_status, proc_nice,phpinfo
In my next post, I will try to explain some security setting which we can add in Apache configuration file.
The latest version of the software should run at your server: Every web software including PHP comes with bugs in their new release. Those software get version update over the period include security fixes. Your web server, third-party code, database, libraries etc. including your dev should run on the latest version. At the time of writing this blog post, we have the newest version of PHP is 7.3.4. If you check its changelog, you will find that they fix some security issue in their new release.
PHP Safe Mode: this feature was deprecated in PHP 5.3 and removed from PHP 5.4 onwards. If php5.3 and below is still ruining on your web server. You can disable safe mode through the HTACCESS FILE.
php_value safe_mode 0
php_flag safe_mode 0
php_value safe_mode off
php_flag safe_mode off
Benefit Of Safe Mode OFF For Developer:
If you enable safe mode, safe mode checks file ownership before accessing by any PHP file.
Example: If the PHP file ownership is Apache, if any hacker uploads any file in your server, it couldn’t execute by PHP file. In other cases, if hacker uploads and PHP file, he can’t access other information such as master password file etc.
Problem Due To Safe Mode Off:
if there are many developers who are working on the same hosting environment, they may have different users. file written by owner can’t be accessible to other developers, in some cases it may be apache user. To overcome this problem, you need to enable the safe mode in a different way by adding the following line in your php_ini code.
Instead of the user, the above code will check the group permission and all the user of the same group will able to work with files.
IF safe_mode_gid turned off then the user should be matched, if safe_mode_gid turned on then all the user in the same group can execute the file.
- PHP version < 4.2 (register_global on by default)
- Php version >=4.2 (register_global off by default)
- PHp version >=5.4 (setting has been removed from PHP.ini)
Grey area of PHP is that you don’t need to initialize the variable. Let us take the example with GET variable.
if your register_global is OFF, you can access the variable in PHP file yourpage.php by using below code
<?php echo $id; echo $name ?>
It is pretty simple. But this cause so many problems also. Assume, we already have id and name on the given page. Something like below.
$name = “Johan”
This is confusing and not a good practise, above code will print 7 and john as it overwrites the global variable. Let us take a different example to make it more clear. Suppose we are accepting username and password and making people logged in on our login page.
$loggedIn = true;
If register_global is on, we can directly see the mypage by just sending get Parameter like.
if register_global is off, we are forced to use superglobal variables.
Superglobal variables are:
If register_global is off, the attacker can not access the system directly with just by query parameters.