This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "PHP Configuration Cheat Sheet"

From OWASP
Jump to: navigation, search
(created)
 
(content moved from PHP_Security_Cheat_Sheet)
Line 4: Line 4:
 
This page intends to provide quick basic PHP security tips for administrators (and developers, if applicable). Keep in mind that tips mentioned in this page are not enough for securing your PHP web application.
 
This page intends to provide quick basic PHP security tips for administrators (and developers, if applicable). Keep in mind that tips mentioned in this page are not enough for securing your PHP web application.
  
 +
 +
=Configuration and Deployment=
 +
==suhosin==
 +
Consider using Stefan Esser's <u>[[http://www.hardened-php.net/suhosin/index.html Hardened PHP patch]]</u> .
 +
 +
==suPHP==
 +
{{TBD:}}
 +
 +
==php.ini==
 +
Note that some of following settings need to be adapted to your system. Also read the [http://www.php.net/manual/ini.core.php PHP Manual] according dependencies of some settings.
 +
 +
====PHP error handlling====
 +
  expose_php              = Off
 +
  error_reporting        = E_ALL
 +
  display_errors          = Off
 +
  display_startup_errors  = Off
 +
  log_errors              = On
 +
  error_log              = /path/PHP-logs/php_error.log
 +
  ignore_repeated_errors  = Off
 +
 +
====PHP general settings====
 +
  doc_root                = /path/DocumentRoot/PHP-scripts/
 +
  open_basedir            = /path/DocumentRoot/PHP-scripts/
 +
  include_path            = /path/PHP-pear/
 +
  extension_dir          = /path/PHP-extensions/
 +
  mime_magic.magicfile   = /path/PHP-magic.mime
 +
  allow_url_fopen        = Off
 +
  allow_url_include      = Off
 +
  variables_order        = "GPSE"
 +
  allow_webdav_methods    = Off
 +
 +
====PHP file upload handling====
 +
  file_uploads            = Off
 +
  upload_tmp_dir          = /path/PHP-uploads/
 +
  upload_max_filesize    = 1M  # NOTE: more or less useless as first handled by the web server
 +
  max_file_uploads        = 2
 +
 +
====PHP executable handling====
 +
  enable_dl              = On
 +
  disable_functions      = system, exec, shell_exec, passthru, phpinfo, show_source, popen, proc_open
 +
  disable_functions      = fopen_with_path, dbmopen, dbase_open, putenv, move_uploaded_file
 +
  disable_functions      = chdir, mkdir, rmdir, chmod, rename
 +
  disable_functions      = filepro, filepro_rowcount, filepro_retrieve, posix_mkfifo
 +
    # see also: http://de3.php.net/features.safe-mode
 +
  disable_classes        =
 +
 +
====PHP session handling====
 +
  session.auto_start      = Off
 +
  session.save_path      = /path/PHP-session/
 +
  session.name            = myPHPSESSID
 +
  session.hash_function  = 1
 +
  session.hash_bits_per_character = 6
 +
  session.use_trans_sid  = 0
 +
  session.cookie_domain  = full.qualified.domain.name
 +
  session.cookie_path    = /application/path/
 +
  session.cookie_lifetime = 0
 +
  session.cookie_secure  = On
 +
  session.cookie_httponly = 1
 +
  session.use_only_cookies= 1
 +
  session.cache_expire    = 30
 +
  default_socket_timeout  = 60
 +
 +
====some more security paranoid checks====
 +
  session.referer_check  = /application/path
 +
  memory_limit            = 2M
 +
  post_max_size          = 2M
 +
  mx_execution_time      = 9
 +
  report_memleaks        = On
 +
  track_errors            = Off
 +
  html_errors            = Off
 +
 +
====old, depricated====
 +
Use these configurations in older PHP versions if necessary.
 +
  register_globals        = Off
 +
  gpc_order              = "GP"
 +
  magic_quotes_gpc        = On
 +
  safe_mode              = On
 +
  safe_mode_include_dir  = /path/PHP-include
 +
  safe_mode_exec_dir      = /path/PHP-executable
 +
  safe_mode_allowed_env_vars  = PHP_
 +
  safe_mode_protected_env_vars = SHELL, IFS, PATH, HOME, USER, TZ, TMP, TMPDIR, LANG, LD_LIBRARY_PATH, LD_PRELOAD, SHLIB_PATH, LIBPATH
 +
 +
====Database Settings====
 +
{{TBD: database sesttings should be done in web server's configuration (i.e. httpd.conf)}}
 +
 +
====Database User====
 +
{{TBD: explain pros&cons what to set in php.ini and/or httpd.conf and/or registry}}
 +
 +
====Session Management====
 +
{{TBD:}}
  
 
= Related Cheat Sheets  =
 
= Related Cheat Sheets  =

Revision as of 12:57, 30 November 2012

Introduction

This page intends to provide quick basic PHP security tips for administrators (and developers, if applicable). Keep in mind that tips mentioned in this page are not enough for securing your PHP web application.


Configuration and Deployment

suhosin

Consider using Stefan Esser's [Hardened PHP patch] .

suPHP

Template:TBD:

php.ini

Note that some of following settings need to be adapted to your system. Also read the PHP Manual according dependencies of some settings.

PHP error handlling

 expose_php              = Off
 error_reporting         = E_ALL
 display_errors          = Off
 display_startup_errors  = Off
 log_errors              = On
 error_log               = /path/PHP-logs/php_error.log
 ignore_repeated_errors  = Off

PHP general settings

 doc_root                = /path/DocumentRoot/PHP-scripts/
 open_basedir            = /path/DocumentRoot/PHP-scripts/
 include_path            = /path/PHP-pear/
 extension_dir           = /path/PHP-extensions/
 mime_magic.magicfile 	  = /path/PHP-magic.mime
 allow_url_fopen         = Off
 allow_url_include       = Off
 variables_order         = "GPSE"
 allow_webdav_methods    = Off

PHP file upload handling

 file_uploads            = Off
 upload_tmp_dir          = /path/PHP-uploads/
 upload_max_filesize     = 1M   # NOTE: more or less useless as first handled by the web server
 max_file_uploads        = 2

PHP executable handling

 enable_dl               = On
 disable_functions       = system, exec, shell_exec, passthru, phpinfo, show_source, popen, proc_open
 disable_functions       = fopen_with_path, dbmopen, dbase_open, putenv, move_uploaded_file
 disable_functions       = chdir, mkdir, rmdir, chmod, rename
 disable_functions       = filepro, filepro_rowcount, filepro_retrieve, posix_mkfifo
   # see also: http://de3.php.net/features.safe-mode
 disable_classes         = 

PHP session handling

 session.auto_start      = Off
 session.save_path       = /path/PHP-session/
 session.name            = myPHPSESSID
 session.hash_function   = 1
 session.hash_bits_per_character = 6
 session.use_trans_sid   = 0
 session.cookie_domain   = full.qualified.domain.name
 session.cookie_path     = /application/path/
 session.cookie_lifetime = 0
 session.cookie_secure   = On
 session.cookie_httponly = 1
 session.use_only_cookies= 1
 session.cache_expire    = 30
 default_socket_timeout  = 60

some more security paranoid checks

 session.referer_check   = /application/path
 memory_limit            = 2M
 post_max_size           = 2M
 mx_execution_time       = 9
 report_memleaks         = On
 track_errors            = Off
 html_errors             = Off

old, depricated

Use these configurations in older PHP versions if necessary.

 register_globals        = Off
 gpc_order               = "GP"
 magic_quotes_gpc        = On
 safe_mode               = On
 safe_mode_include_dir   = /path/PHP-include
 safe_mode_exec_dir      = /path/PHP-executable
 safe_mode_allowed_env_vars   = PHP_
 safe_mode_protected_env_vars = SHELL, IFS, PATH, HOME, USER, TZ, TMP, TMPDIR, LANG, LD_LIBRARY_PATH, LD_PRELOAD, SHLIB_PATH, LIBPATH

Database Settings

Template:TBD: database sesttings should be done in web server's configuration (i.e. httpd.conf)

Database User

Template:TBD: explain pros&cons what to set in php.ini and/or httpd.conf and/or registry

Session Management

Template:TBD:

Related Cheat Sheets

PHP_Security_Cheat_Sheet

Authors and Primary Editors

Achim Hoffmann - Achim at owasp.org

--Achim, 30 November 2012

Other Cheatsheets

OWASP Cheat Sheets Project Homepage