PHP used to be the called the vulnerable script language around version 4 but since then a lot have been improved over the period with now my linux box using PHP 5.4 with built in test server. With thousands of websites and blogs writing to aware the php techies about common attacks and how to prevent them. Actually, the most common vulnerability as per me is “bad coding” techniques which may result in sql injections and xss kinda attacks.
Suhosin, a php plugin served well for few years but now It’s development is ceased for some reason. The dotdeb.org package of php5.4 doesn’t come with suhosin anymore for the same reason.
Below are some techniques to secure or harden your php configuration from server side:
Note: A more preferred way will be to define a new ini file for every user as per the need rather then messing with the global php.ini.
short_open_tag = Off
asp_tags = Off
disable_functions = phpinfo,system,exec,shell_exec,passthru,popen,proc_open,parse_ini_file,show_source,symlink,curl_exec,curl_multi_exec
expose_php = Off
error_reporting = E_ALL
display_errors = Off
log_errors = On
ignore_repeated_errors = Off
report_memleaks = Off
open_basedir = “/home/user/websites:/tmp/”
upload_tmp_dir = /home/user/websites/.tmp
session.save_path = “/home/user/websites/.tmp”
error_log = /var/log/php-errors.log
post_max_size = 10M
default_charset = “UTF-8”
upload_max_filesize = 2M
allow_url_fopen = Off
Since this is my personal box, I restricted all eligible functions that can leak personal information or get exploited in other way.
You may also want to run a PHPSecInfo to verify the applied the missed settings.