linux:securingphp
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionLast revisionBoth sides next revision | ||
linux:securingphp [2011/08/12 20:54] – rlunaro | linux:securingphp [2022/12/02 22:02] – external edit 127.0.0.1 | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== Securing PHP ====== | ||
+ | |||
+ | Here is my configuration / notes about securing a php installation. | ||
+ | |||
+ | |||
+ | ===== php_openbasedir must be configured per site ===== | ||
+ | |||
+ | In the apache configuration of the virtual host, **open_basedir** must be configured and must point | ||
+ | to the directory of the web application or deeper, to ban php to open other files that aren't in the | ||
+ | installation. | ||
+ | |||
+ | Example: | ||
+ | |||
+ | < | ||
+ | < | ||
+ | php_admin_value open_basedir "/ | ||
+ | </ | ||
+ | </ | ||
+ | |||
+ | ===== include_path must be specified also and limited to the web directory or deeper ===== | ||
+ | |||
+ | '' | ||
+ | '' | ||
+ | application has an " | ||
+ | to read configuration files or other information. | ||
+ | |||
+ | This configuration must be set per virtual host, and it's better to set a non-existent file | ||
+ | in the main php.ini file. | ||
+ | |||
+ | Example: | ||
+ | |||
+ | < | ||
+ | php_admin_value include_path "/ | ||
+ | </ | ||
+ | |||
+ | |||
+ | ===== upload_tmp_dir must be set OUTSIDE YOUR WEBSITE ===== | ||
+ | |||
+ | **__This is a frequent source of problems__**. And I misunderstood that many times, until somebody | ||
+ | kindly let me know about this, by injecting c99.php in my website. This directive configures | ||
+ | the directory where upload files must be placed when loaded: it's a very bad idea to have them | ||
+ | inside your website, because it allows an attacker to upload any php file and execute it afterwards. | ||
+ | |||
+ | Example: | ||
+ | |||
+ | < | ||
+ | php_admin_value upload_tmp_dir "/ | ||
+ | </ | ||
+ | |||
+ | |||
+ | ===== engine must be unset if the site doesn' | ||
+ | |||
+ | Configure '' | ||
+ | |||
+ | Example: | ||
+ | |||
+ | < | ||
+ | php_admin_value engine On | ||
+ | </ | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
linux/securingphp.txt · Last modified: 2024/02/05 13:57 by rlunaro