PHP Security Concepts

This page provides an in-depth look at why we make certain suggestions for hardening your PHP configuration.

Safe Mode

PHP's safe mode (safe_mode) feature attempts to enforce read/write permissions on shared hosting environments for PHP. Ordinarily, a PHP script can open and modify any file on the filesystem. Enabling safe_mode causes PHP to check the user ID (UID) of the script as it attempts to open a file against that file's (or directory's) UID. If the user IDs do not match, the script cannot open or modify the file or directory. This prevents users from accessing files via PHP that do not belong to them. In effect, this prevents attackers from exploiting read/write insecurities and injecting malicious code into other scripts via PHP.

You can relax safe mode's file check to a group ID (GID) rather than a UID check (safe_mode_gid). This can be useful if safe_mode is too restrictive for use in your environment. For example, if several developers with different user IDs require the ability to open and modify the same file or directory via PHP, you can enable safe_mode_gid. This causes PHP to check the group IDs of the script and file, rather than the user IDs. In effect, this will allow several developers with different UIDs to open and modify the same set of files as long as each of the developers is in the same group.

In addition to enabling safe_mode or safe_mode_gid, you may also choose to restrict which directories can contain included or executable files. Under default conditions, any directory on the filesystem could contain included or executable PHP files. This is a danger.

Restricting Includes

Local include attacks occur when an attacker is able to pull local files into PHP scripts to view sensitive information on or about your system. For example, an attacker may be able to include and subsequently view the /etc/passwd file using a PHP inclusion vulnerability, in effect acquiring some basic information about every account associated with your web server.

To help prevent local include vulnerabilities, you can set the open_basedir parameter in your PHP configuration to a specific directory. This will limit an attacker's access via local includes to a single directory. In most cases, you will want to set the open_basedir parameter to a public_html directory, allowing PHP to open and modify HTTP-accessible (public) files contained within the specified directory while limiting access to more sensitive information contained outside of the specified directory.

Remote file include attacks occur when an attacker is able to pull files from a remote location onto your server. When remote includes are used, an attacker will write a PHP script and host it on his or her own server, then use a remote inclusion method to upload and execute the script on your server. If your PHP configuration is insecure, an attacker does not need to have read/write permissions on your server to upload and execute the offending script. To prevent remote file inclusion attacks, set the allow_url_fopen and allow_url_include parameters to Off.

Disabling Functionality

Some PHP functions are not safe for a production environment. Though your PHP developers may not use these functions, you should disable them so that an attacker cannot use them either. More often than not, disabling these functions will stop an attacker who has managed to get a malicious PHP script onto your system. If the function is disabled, the malicious script will not work. In short, disabling some functionality will limit an attacker's ability to perform malicious actions on your system via PHP.

When selecting which functions you wish to disable, it may be important to consult your PHP developers. There are many functions in PHP that basically perform the same tasks. Requiring that your developers standardize to one or two of these functions will prevent attackers from using the others against you.

Preventing Information Disclosure

Disclosing information, such as errors, to attackers can leave your system in a vulnerable position. Before and during an attack, the attacker will need to acquire a wealth of general information about your system. This information includes your directory structure, database names, usernames, and more. Preventing PHP from printing errors to the web application's user interface is one way to inhibit an attacker's ability to gain information he could use to compromise your system.

When display_errors is disabled, your developers are still able to retrieve debugging information from the appropriate PHP logs.

Restrict File Uploads

Restricting all file uploads is an easy way to completely prevent attackers from exploiting your PHP configuration to inject their own PHP scripts. However, some developers will want to include the ability to upload files to your server via PHP. If you must allow file uploads, you should change the default temporary directory for file uploads using the upload_tmp_dir parameter.

Many administrators also choose to limit the maximum file size users can upload using the upload_max_filesize parameter. Setting this parameter is generally not intended to improve the security of your PHP configuration. Administrators choose to set this parameter to help manage the server's PHP load.

Protect Sessions

Some attackers attempt to hijack sessions. This occurs when an attacker is able to steal a user's web application session and perform actions as that user. PHP uses long, randomly-generated session identifiers for its URLs. While this makes session URLs exceedingly difficult to guess, the value must be stored on the filesystem. This makes it possible for an attacker to retrieve the session IDs.

Attackers may inject JavaScript into pages to steal cookies (hijack sessions). You can prevent them from doing so by setting the session.cookie_httponly parameter to On. This directive prevents JavaScript from accessing a PHP application's session cookies. If your developers require that JavaScript have access to session cookies, do not enable this option.

You may also wish to allow PHP to check HTTP referrer values. This ensures that sensitive session information is only passed internally during a user's session. In effect, this will prevent users from accidentally publishing sensitive session information by sharing a URL.

Disable Register Globals

Global variables allow a PHP script to receive and process variables without a specified source. This is dangerous because attackers would be able to overwrite configuration variables and gain access to areas of your system that would ordinarily be restricted.