|
|
| (17 intermediate revisions by 4 users not shown) |
| Line 1: |
Line 1: |
| | + | __NOTOC__ |
| | + | <div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div> |
| | | | |
| − | = Introduction =
| + | The Cheat Sheet Series project has been moved to [https://github.com/OWASP/CheatSheetSeries GitHub]! |
| | | | |
| − | This page intends to provide quick basic PHP security tips for administrators (and developers, if applicable). Keep in mind that tips mentioned in this page are not enough for securing your PHP web application.
| + | Please visit [https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/PHP_Configuration_Cheat_Sheet.md PHP Configuration Cheat Sheet] to see the latest version of the cheat sheet. |
| − | | |
| − | ====<center>..: Work in Progress :..</center>====
| |
| − | ----
| |
| − | | |
| − | =Configuration and Deployment=
| |
| − | ==suhosin==
| |
| − | Consider using Stefan Esser's <u>[[http://www.hardened-php.net/suhosin/index.html Hardened PHP patch]]</u> .
| |
| − | | |
| − | ==suPHP==
| |
| − | {{TBD:}}
| |
| − | | |
| − | ==php.ini==
| |
| − | Note that some of following settings need to be adapted to your system, in particular <code style="background:#ddd">/path/</code> and <code style="background:#ddd">/application/</code>. Also read the [http://www.php.net/manual/ini.core.php PHP Manual] according dependencies of some settings.
| |
| − | | |
| − | | |
| − | | |
| − | ====PHP error handlling====
| |
| − | expose_php = Off
| |
| − | error_reporting = E_ALL
| |
| − | display_errors = Off
| |
| − | display_startup_errors = Off
| |
| − | log_errors = On
| |
| − | error_log = /path/PHP-logs/php_error.log
| |
| − | ignore_repeated_errors = Off
| |
| − | | |
| − | ====PHP general settings====
| |
| − | doc_root = /path/DocumentRoot/PHP-scripts/
| |
| − | open_basedir = /path/DocumentRoot/PHP-scripts/
| |
| − | include_path = /path/PHP-pear/
| |
| − | extension_dir = /path/PHP-extensions/
| |
| − | mime_magic.magicfile = /path/PHP-magic.mime
| |
| − | allow_url_fopen = Off
| |
| − | allow_url_include = Off
| |
| − | variables_order = "GPSE"
| |
| − | allow_webdav_methods = Off
| |
| − | | |
| − | ====PHP file upload handling====
| |
| − | file_uploads = Off
| |
| − | upload_tmp_dir = /path/PHP-uploads/
| |
| − | upload_max_filesize = 1M # NOTE: more or less useless as first handled by the web server
| |
| − | max_file_uploads = 2
| |
| − | | |
| − | ====PHP executable handling====
| |
| − | enable_dl = On
| |
| − | disable_functions = system, exec, shell_exec, passthru, phpinfo, show_source, popen, proc_open
| |
| − | disable_functions = fopen_with_path, dbmopen, dbase_open, putenv, move_uploaded_file
| |
| − | disable_functions = chdir, mkdir, rmdir, chmod, rename
| |
| − | disable_functions = filepro, filepro_rowcount, filepro_retrieve, posix_mkfifo
| |
| − | # see also: http://de3.php.net/features.safe-mode
| |
| − | disable_classes =
| |
| − | | |
| − | ====PHP session handling====
| |
| − | session.auto_start = Off
| |
| − | session.save_path = /path/PHP-session/
| |
| − | session.name = myPHPSESSID
| |
| − | session.hash_function = 1
| |
| − | session.hash_bits_per_character = 6
| |
| − | session.use_trans_sid = 0
| |
| − | session.cookie_domain = full.qualified.domain.name
| |
| − | session.cookie_path = /application/path/
| |
| − | session.cookie_lifetime = 0
| |
| − | session.cookie_secure = On
| |
| − | session.cookie_httponly = 1
| |
| − | session.use_only_cookies= 1
| |
| − | session.cache_expire = 30
| |
| − | default_socket_timeout = 60
| |
| − | | |
| − | ====some more security paranoid checks====
| |
| − | session.referer_check = /application/path
| |
| − | memory_limit = 2M
| |
| − | post_max_size = 2M
| |
| − | mx_execution_time = 9
| |
| − | report_memleaks = On
| |
| − | track_errors = Off
| |
| − | html_errors = Off
| |
| − | | |
| − | ====old, depricated====
| |
| − | Use these configurations in older PHP versions if necessary.
| |
| − | register_globals = Off
| |
| − | gpc_order = "GP"
| |
| − | magic_quotes_gpc = On
| |
| − | safe_mode = On
| |
| − | safe_mode_include_dir = /path/PHP-include
| |
| − | safe_mode_exec_dir = /path/PHP-executable
| |
| − | safe_mode_allowed_env_vars = PHP_
| |
| − | safe_mode_protected_env_vars = SHELL, IFS, PATH, HOME, USER, TZ, TMP, TMPDIR, LANG,
| |
| − | safe_mode_protected_env_vars = LD_LIBRARY_PATH, LD_PRELOAD, SHLIB_PATH, LIBPATH
| |
| − | | |
| − | ====PHP Database Settings====
| |
| − | {{TBD: database sesttings should be done in web server's configuration (i.e. httpd.conf)}}
| |
| − | | |
| − | ====PHP Database User====
| |
| − | {{TBD: explain pros&cons what to set in php.ini and/or httpd.conf and/or registry}}
| |
| − | | |
| − | ====PHP Windows specific Settings====
| |
| − | {{TBD:}}
| |
| − | | |
| − | ====PHP Extension====
| |
| − | {{TBD:}}
| |
| − | | |
| − | = Related Cheat Sheets =
| |
| − | | |
| − | [[PHP_Security_Cheat_Sheet]]
| |
| − | | |
| − | = Authors and Primary Editors =
| |
| − | | |
| − | [[User:Achim|Achim]] Hoffmann - [mailto:achim_at_owasp.org Achim at owasp.org]
| |
| − | | |
| − | --[[User:Achim|Achim]], 30. November 2012
| |
| − | | |
| − | = Other Cheatsheets =
| |
| − | {{Cheatsheet_Navigation}}
| |
| − | | |
| − | [[Category:Cheatsheets]]
| |
