This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "PHP Configuration Cheat Sheet"
From OWASP
(created) |
(content moved from PHP_Security_Cheat_Sheet) |
||
| Line 4: | Line 4: | ||
This page intends to provide quick basic PHP security tips for administrators (and developers, if applicable). Keep in mind that tips mentioned in this page are not enough for securing your PHP web application. | This page intends to provide quick basic PHP security tips for administrators (and developers, if applicable). Keep in mind that tips mentioned in this page are not enough for securing your PHP web application. | ||
| + | |||
| + | =Configuration and Deployment= | ||
| + | ==suhosin== | ||
| + | Consider using Stefan Esser's <u>[[http://www.hardened-php.net/suhosin/index.html Hardened PHP patch]]</u> . | ||
| + | |||
| + | ==suPHP== | ||
| + | {{TBD:}} | ||
| + | |||
| + | ==php.ini== | ||
| + | Note that some of following settings need to be adapted to your system. Also read the [http://www.php.net/manual/ini.core.php PHP Manual] according dependencies of some settings. | ||
| + | |||
| + | ====PHP error handlling==== | ||
| + | expose_php = Off | ||
| + | error_reporting = E_ALL | ||
| + | display_errors = Off | ||
| + | display_startup_errors = Off | ||
| + | log_errors = On | ||
| + | error_log = /path/PHP-logs/php_error.log | ||
| + | ignore_repeated_errors = Off | ||
| + | |||
| + | ====PHP general settings==== | ||
| + | doc_root = /path/DocumentRoot/PHP-scripts/ | ||
| + | open_basedir = /path/DocumentRoot/PHP-scripts/ | ||
| + | include_path = /path/PHP-pear/ | ||
| + | extension_dir = /path/PHP-extensions/ | ||
| + | mime_magic.magicfile = /path/PHP-magic.mime | ||
| + | allow_url_fopen = Off | ||
| + | allow_url_include = Off | ||
| + | variables_order = "GPSE" | ||
| + | allow_webdav_methods = Off | ||
| + | |||
| + | ====PHP file upload handling==== | ||
| + | file_uploads = Off | ||
| + | upload_tmp_dir = /path/PHP-uploads/ | ||
| + | upload_max_filesize = 1M # NOTE: more or less useless as first handled by the web server | ||
| + | max_file_uploads = 2 | ||
| + | |||
| + | ====PHP executable handling==== | ||
| + | enable_dl = On | ||
| + | disable_functions = system, exec, shell_exec, passthru, phpinfo, show_source, popen, proc_open | ||
| + | disable_functions = fopen_with_path, dbmopen, dbase_open, putenv, move_uploaded_file | ||
| + | disable_functions = chdir, mkdir, rmdir, chmod, rename | ||
| + | disable_functions = filepro, filepro_rowcount, filepro_retrieve, posix_mkfifo | ||
| + | # see also: http://de3.php.net/features.safe-mode | ||
| + | disable_classes = | ||
| + | |||
| + | ====PHP session handling==== | ||
| + | session.auto_start = Off | ||
| + | session.save_path = /path/PHP-session/ | ||
| + | session.name = myPHPSESSID | ||
| + | session.hash_function = 1 | ||
| + | session.hash_bits_per_character = 6 | ||
| + | session.use_trans_sid = 0 | ||
| + | session.cookie_domain = full.qualified.domain.name | ||
| + | session.cookie_path = /application/path/ | ||
| + | session.cookie_lifetime = 0 | ||
| + | session.cookie_secure = On | ||
| + | session.cookie_httponly = 1 | ||
| + | session.use_only_cookies= 1 | ||
| + | session.cache_expire = 30 | ||
| + | default_socket_timeout = 60 | ||
| + | |||
| + | ====some more security paranoid checks==== | ||
| + | session.referer_check = /application/path | ||
| + | memory_limit = 2M | ||
| + | post_max_size = 2M | ||
| + | mx_execution_time = 9 | ||
| + | report_memleaks = On | ||
| + | track_errors = Off | ||
| + | html_errors = Off | ||
| + | |||
| + | ====old, depricated==== | ||
| + | Use these configurations in older PHP versions if necessary. | ||
| + | register_globals = Off | ||
| + | gpc_order = "GP" | ||
| + | magic_quotes_gpc = On | ||
| + | safe_mode = On | ||
| + | safe_mode_include_dir = /path/PHP-include | ||
| + | safe_mode_exec_dir = /path/PHP-executable | ||
| + | safe_mode_allowed_env_vars = PHP_ | ||
| + | safe_mode_protected_env_vars = SHELL, IFS, PATH, HOME, USER, TZ, TMP, TMPDIR, LANG, LD_LIBRARY_PATH, LD_PRELOAD, SHLIB_PATH, LIBPATH | ||
| + | |||
| + | ====Database Settings==== | ||
| + | {{TBD: database sesttings should be done in web server's configuration (i.e. httpd.conf)}} | ||
| + | |||
| + | ====Database User==== | ||
| + | {{TBD: explain pros&cons what to set in php.ini and/or httpd.conf and/or registry}} | ||
| + | |||
| + | ====Session Management==== | ||
| + | {{TBD:}} | ||
= Related Cheat Sheets = | = Related Cheat Sheets = | ||
Revision as of 12:57, 30 November 2012
Introduction
This page intends to provide quick basic PHP security tips for administrators (and developers, if applicable). Keep in mind that tips mentioned in this page are not enough for securing your PHP web application.
Configuration and Deployment
suhosin
Consider using Stefan Esser's [Hardened PHP patch] .
suPHP
php.ini
Note that some of following settings need to be adapted to your system. Also read the PHP Manual according dependencies of some settings.
PHP error handlling
expose_php = Off error_reporting = E_ALL display_errors = Off display_startup_errors = Off log_errors = On error_log = /path/PHP-logs/php_error.log ignore_repeated_errors = Off
PHP general settings
doc_root = /path/DocumentRoot/PHP-scripts/ open_basedir = /path/DocumentRoot/PHP-scripts/ include_path = /path/PHP-pear/ extension_dir = /path/PHP-extensions/ mime_magic.magicfile = /path/PHP-magic.mime allow_url_fopen = Off allow_url_include = Off variables_order = "GPSE" allow_webdav_methods = Off
PHP file upload handling
file_uploads = Off upload_tmp_dir = /path/PHP-uploads/ upload_max_filesize = 1M # NOTE: more or less useless as first handled by the web server max_file_uploads = 2
PHP executable handling
enable_dl = On disable_functions = system, exec, shell_exec, passthru, phpinfo, show_source, popen, proc_open disable_functions = fopen_with_path, dbmopen, dbase_open, putenv, move_uploaded_file disable_functions = chdir, mkdir, rmdir, chmod, rename disable_functions = filepro, filepro_rowcount, filepro_retrieve, posix_mkfifo # see also: http://de3.php.net/features.safe-mode disable_classes =
PHP session handling
session.auto_start = Off session.save_path = /path/PHP-session/ session.name = myPHPSESSID session.hash_function = 1 session.hash_bits_per_character = 6 session.use_trans_sid = 0 session.cookie_domain = full.qualified.domain.name session.cookie_path = /application/path/ session.cookie_lifetime = 0 session.cookie_secure = On session.cookie_httponly = 1 session.use_only_cookies= 1 session.cache_expire = 30 default_socket_timeout = 60
some more security paranoid checks
session.referer_check = /application/path memory_limit = 2M post_max_size = 2M mx_execution_time = 9 report_memleaks = On track_errors = Off html_errors = Off
old, depricated
Use these configurations in older PHP versions if necessary.
register_globals = Off gpc_order = "GP" magic_quotes_gpc = On safe_mode = On safe_mode_include_dir = /path/PHP-include safe_mode_exec_dir = /path/PHP-executable safe_mode_allowed_env_vars = PHP_ safe_mode_protected_env_vars = SHELL, IFS, PATH, HOME, USER, TZ, TMP, TMPDIR, LANG, LD_LIBRARY_PATH, LD_PRELOAD, SHLIB_PATH, LIBPATH
Database Settings
Template:TBD: database sesttings should be done in web server's configuration (i.e. httpd.conf)
Database User
Template:TBD: explain pros&cons what to set in php.ini and/or httpd.conf and/or registry
Session Management
Related Cheat Sheets
Authors and Primary Editors
Achim Hoffmann - Achim at owasp.org
--Achim, 30 November 2012
Other Cheatsheets
OWASP Cheat Sheets Project Homepage
