edit-icon download-icon

Harden PHP environment security

Last Updated: May 09, 2018

With the increasing application of PHP, security is becoming a more prominent concern. Safe mode, provided by the PTP environment, is an important embedded security feature which is capable of controlling some PHP functions, such as the system() function. Meanwhile, the safe mode also manages permissions for many file operation functions and does not allow editing certain keyword files, such as the /etc/passwd file. However, safe mode is not enabled by default in the php.ini configuration file. This document explains how to use PHP security features to increase your website security.

1. Enable PHP safe mode

The safe mode in PHP is an important embedded security mechanism which is able to control some PHP functions. You can enable the safe mode by modifying the following parameter in the php.ini configuration file.

  1. `safe_mode = on`

2. User group security

When the safe mode is enabled, and the safe_mode_gid paramter is off, PHP scripts are allowed to access files. Users in the same group can also access files. Therefore, we recommend that you do the following configurations.

  1. `safe_mode_gid = off`

Note: This parameter applies to the Linux operating system.

If you do not apply this configuration, you may not be able to perform operations on files under the website directories on the servers.

3. Home directory of the program to be executed in safe mode

When you want to execute a program with the safe mode enabled, you can specify the home directory of the program to be executed with the following configuration.

  1. `safe_mode_exec_dir = /usr/bin`

Generally, you do not have to execute programs, and we do not recommend that you specify the system program directory for execution. You can point the execution to a directory, and copy the program to be executed over. For example:

  1. `safe_mode_exec_dir = /temp/cmd`

Moreover, we recommend that you do not execute any programs. In this situation, you can point to the webpage directory as follows:

  1. `safe_mode_exec_dir = /usr/www`

Note: Set the path based on your actual directory of the server.

4. Include files in safe mode

If you want to include some public files in safe mode, modify the configuration as follows:

  1. `safe_mode_include_dir = /usr/www/include/`

Generally, the files included in the PHP script have been written in the program. You can configure the settings based on your specific requirements.

5. Manage the accessible directory for the PHP script

You can use the open_basedir parameter to specify the directories accessible to a PHP script, which can prevent the PHP script from accessing unexpected files, alleviating the hazards of phpshell to some extent. We recommend that you only allow a PHP script to access the website directory.

  1. `open_basedir = /usr/www`

6. Disable risky functions

After the safe mode is enabled, you do not have to disable functions. However, you can also do the configuration based on the consideration for security. For example, if you do not want to execute PHP functions that execute commands including the system() function, or the phpinfo() function or other functions that enable viewing the PHP information, you can disable them with the following configuration:

  1. `disable_functions = system, passthru, exec, shell_exec, popen, phpinfo, escapeshellarg, escapeshellcmd, proc_close, proc_open, dl`

If you want to disable operations on any files and directories, you can disable the more file operations with the following configuration:

  1. `disable_functions = chdir, chroot, dir, getcwd, opendir, readdir, scandir, fopen, unlink, delete, copy, mkdir, rmdir, rename, file, file_get_contents, fputs, fwrite, chgrp,chmod, chown`

Note: Only commonly used file processing functions are listed in the preceding configuration. You can combine these functions with the PHP functions that execute commands to defend against most phpshell vulnerabilities.

7. Disable displaying the PHP version in the HTTP header

To prevent hackers from getting the PHP version of the server, you can disable displaying the information in the HTTP header with the following configuration:

  1. `expose_php = off`

Then, when a hacker runs the telnet command to connect the 80 port of your domain, he can not see the PHP information.

8. Disable registering global variables

Variables submitted in PHP including variables submitted using the POST or GET function, are automatically registered as global variables and are directly accessible. This is unsafe for servers. Therefore, prevent them from being registered as global variables. To do this, you can disable the registering global variables option as follows:

  1. `register_globals = off`

Note: This parameter was removed in versions later than 5.3.

If this configuration is applied, the corresponding variable has to be retrieved in a different, and more reasonable way (such as using the GET function to submit the var variable, and then using $_GET ['var'] to retrieve the variable.

9. Defense against Web SQL injection

Web SQL injection is dangerous. It may lead to intrusion to the website backend, or even the collapse of the entire server. You can prevent web SQL injection with the following configuration in the php.ini file:

  1. `magic_quotes_gpc = off`

Note: This parameter was removed in version later than PHP 5.4.0.

This configuration aotumatically converts the SQL queries submitted by users, such as converting “‘“ to “\’”, which greatly helps in preventing web SQL injection.

10. Error message control

If PHP is not connected to the database or under other circumstances, you may receive an error message. The error message usually contains the current path or the querying SQL statement and other information of the PHP script. It is unsafe to provide such information to a hacker, so we recommend that you disable error messages for servers with the following configuration:

  1. `display_errors = Off`

If you have to receive the error message, set the level of the displayed error, such as only displaying messages above the warning level, with the following configuration:

  1. `error_reporting = E_WARNING & E_ERROR`

Note: We strongly recommend that you disable displaying error messages.

11. Error logs

We recommend that you log error messages after you set the display_errors option off to facilitate troubleshooting server operation problems. You can enable the error logging with the following configuration:

  1. `log_errors = On`

Additionally, you also have to set the directory to store the error log. We recommend that you store the log together with the Apache log.

  1. `error_log = /usr/local/apache2/logs/php_error.log`

Note: The write permission of the log file must be granted to Apache users or user groups.

Thank you! We've received your feedback.