Securing PHP 5 Configuration File (php.ini)

PHP used to be the called the vulnerable script language around version 4 but since then a lot have been improved over the period with now my linux box using PHP 5.4 with built in test server. With thousands of websites and blogs writing to aware the php techies about common attacks and how to prevent them. Actually, the most common vulnerability as per me is “bad coding” techniques which may result in sql injections and xss kinda attacks.

Suhosin, a php plugin served well for few years but now It’s development is ceased for some reason. The dotdeb.org package of php5.4 doesn’t come with suhosin anymore for the same reason.

Below are some techniques to secure or harden your php configuration from server side:

Note: A more preferred way will be to define a new ini file for every user as per the need rather then messing with the global php.ini.

short_open_tag = Off

asp_tags = Off

disable_functions = phpinfo,system,exec,shell_exec,passthru,popen,proc_open,parse_ini_file,show_source,symlink,curl_exec,curl_multi_exec

expose_php = Off

error_reporting = E_ALL

display_errors = Off

log_errors = On

ignore_repeated_errors = Off

report_memleaks = Off

open_basedir = “/home/user/websites:/tmp/”

upload_tmp_dir = /home/user/websites/.tmp

session.save_path = “/home/user/websites/.tmp”

error_log = /var/log/php-errors.log

post_max_size = 10M

default_charset = “UTF-8”

upload_max_filesize = 2M

allow_url_fopen = Off

Since this is my personal box, I restricted all eligible functions that can leak personal information or get exploited in other way.

You may also want to run a PHPSecInfo to verify the applied the missed settings.

Leave a comment

Your email address will not be published. Required fields are marked *