PHP Security Concepts
This page provides an in-depth look at why we make certain suggestions for hardening your PHP
's safe mode (
) feature attempts to enforce read/write permissions on shared hosting environments for PHP
. Ordinarily, a PHP
script can view or modify any file on the filesystem for which it has read or write access. Enabling
to check the user ID (
) of the script as it attempts to open a file against that file's (or directory's)
. If the user IDs do not match, the script cannot open or modify the file or directory. This prevents users from accessing files via PHP
that do not belong to them. In effect, this prevents attackers from exploiting read/write insecurities and injecting malicious code into other scripts via PHP
You can relax safe mode's file check to a group ID (
) rather than a
). This can be useful if
is too restrictive for use in your environment. For example, if several developers with different user IDs require the ability to open and modify the same file or directory via PHP
, you can enable
. This causes PHP
to check the group IDs of the script and file, rather than the user IDs. In effect, this will allow several developers with different
to open and modify the same set of files as long as each of the developers is in the same group.
In addition to enabling
, you may also choose to restrict which directories can contain included or executable files. Under default conditions, any directory on the filesystem could contain included or executable PHP
files. This is a danger.
feature will be removed in a future version of PHP
Local file include attacks occur when an attacker is able to pull local files into PHP
scripts to view sensitive information on or about your system. For example, an attacker may be able to include and subsequently view the
file using a PHP
inclusion vulnerability, in effect acquiring some basic information about every account associated with your web server.
To prevent local file include vulnerabilities from being accessed by a user who doesn't own the directory, you can enable the
feature via WHM >> open_basedir PHP Tweak
. This will limit an attacker's access via local includes to a single directory. Enabling the PHP open_basedir Tweak
scripts from reading files outside of the users’ home directories.
Remote file include attacks occur when an attacker is able to pull files from a remote location onto your server. When remote includes are used, an attacker will write a PHP
script and host it on his or her own server, then use a remote inclusion method to take advantage of include vulnerabilities on your server. If your PHP
configuration is insecure, an attacker does not need to have read/write permissions on your server to execute the malicious data from his or her server. To prevent remote file inclusion attacks, set the
parameters to Off
. These changes can be made in the Advanced Mode
of the PHP Configuration Editior
if the setting already exists in
functions are not safe for a production environment. PHP
developers may not use these functions; you should disable them so that an attacker cannot use them either. More often than not, disabling these functions will stop an attacker who has managed to get a malicious PHP
script onto your system. If the function is disabled, the malicious script will not work. In short, disabling some functionality will limit an attacker's ability to perform malicious actions on your system via PHP
When selecting which functions you wish to disable, it may be important to consult your PHP
developers. There are many functions in PHP
that basically perform the same tasks. Requiring that your developers standardize to one or two of these functions will prevent attackers from using the others against you.
Preventing information disclosure
Disclosing information, such as errors, to attackers can leave your system in a vulnerable position. Before and during an attack, the attacker will need to acquire a wealth of general information about your system. This information includes your directory structure, database names, usernames, and more. Preventing PHP
from printing errors to the web application's user interface is one way to inhibit an attacker's ability to gain information he could use to compromise your system.
is disabled, your developers are still able to retrieve debugging information from the appropriate PHP
Restrict file uploads
Restricting all file uploads is an easy way to completely prevent attackers from exploiting your PHP
configuration to inject their own PHP
scripts. However, some developers will want to include the ability to upload files to your server via PHP
. If you must allow file uploads, you should change the default temporary directory for file uploads using the
Many administrators also choose to limit the maximum file size users can upload using the
parameter. Setting this parameter is not intended to improve the security of your PHP
configuration. Administrators choose to set this parameter to help manage the server's PHP
Some attackers attempt to hijack sessions. This occurs when an attacker is able to steal a user's web application session and perform actions as that user. PHP
uses long, randomly generated session identifiers for its URLs. While this makes session URLs exceedingly difficult to guess, the value must be stored on the filesystem. This makes it possible for an attacker to retrieve the session IDs.
parameter to On
You may also wish to allow PHP
to check HTTP referrer values. This ensures that sensitive session information passes internally during a user's session. In effect, this will prevent users from accidentally publishing sensitive session information by sharing a URL
Disable register globals
Global variables allow a PHP
script to receive and process variables without a specified source. This is dangerous because attackers would be able to overwrite configuration variables to gain access to areas of your system that would ordinarily be restricted.
To learn more about securing your PHP
installation, visit our PHP