PHP Security Concepts

Overview

This page provides an in-depth look at why we make certain suggestions for hardening your PHP configuration.

Safe mode

PHP's safe mode (safe_mode) feature attempts to enforce read/write permissions on shared hosting environments for PHP. Ordinarily, a PHP script can view or modify any file on the filesystem for which it has read or write access. Enabling safe_mode causes PHP to check the user ID (UID) of the script as it attempts to open a file against that file's (or directory's) UID. If the user IDs do not match, the script cannot open or modify the file or directory. This prevents users from accessing files via PHP that do not belong to them. In effect, this prevents attackers from exploiting read/write insecurities and injecting malicious code into other scripts via PHP.

You can relax safe mode's file check to a group ID (GID) rather than a UID check (safe_mode_gid). This can be useful if safe_mode is too restrictive for use in your environment. For example, if several developers with different user IDs require the ability to open and modify the same file or directory via PHP, you can enable safe_mode_gid. This causes PHP to check the group IDs of the script and file, rather than the user IDs. In effect, this will allow several developers with different UIDs to open and modify the same set of files as long as each of the developers is in the same group.

In addition to enabling safe_mode or safe_mode_gid, you may also choose to restrict which directories can contain included or executable files. Under default conditions, any directory on the filesystem could contain included or executable PHP files. This is a danger.

Note: safe_mode deprecated in PHP 5.3. The safe_mode feature will be removed in a future version of PHP.

Restricting includes

Local file include attacks occur when an attacker is able to pull local files into PHP scripts to view sensitive information on or about your system. For example, an attacker may be able to include and subsequently view the /etc/passwd file using a PHP inclusion vulnerability, in effect acquiring some basic information about every account associated with your web server.

To prevent local file include vulnerabilities from being accessed by a user who doesn't own the directory, you can enable the open_basedir feature via WHM >> open_basedir PHP Tweak. This will limit an attacker's access via local includes to a single directory. Enabling the PHP open_basedir Tweak prevents PHP scripts from reading files outside of the users’ home directories. Remote file include attacks occur when an attacker is able to pull files from a remote location onto your server. When remote includes are used, an attacker will write a PHP script and host it on his or her own server, then use a remote inclusion method to take advantage of include vulnerabilities on your server. If your PHP configuration is insecure, an attacker does not need to have read/write permissions on your server to execute the malicious data from his or her server. To prevent remote file inclusion attacks, set the allow_url_fopen and allow_url_include parameters to Off. These changes can be made in the Advanced Mode of the PHP Configuration Editior if the setting already exists in /usr/local/lib/php.ini.

Disabling functionality

Some PHP functions are not safe for a production environment. PHP developers may not use these functions; you should disable them so that an attacker cannot use them either. More often than not, disabling these functions will stop an attacker who has managed to get a malicious PHP script onto your system. If the function is disabled, the malicious script will not work. In short, disabling some functionality will limit an attacker's ability to perform malicious actions on your system via PHP.

When selecting which functions you wish to disable, it may be important to consult your PHP developers. There are many functions in PHP that basically perform the same tasks. Requiring that your developers standardize to one or two of these functions will prevent attackers from using the others against you.

Preventing information disclosure

Disclosing information, such as errors, to attackers can leave your system in a vulnerable position. Before and during an attack, the attacker will need to acquire a wealth of general information about your system. This information includes your directory structure, database names, usernames, and more. Preventing PHP from printing errors to the web application's user interface is one way to inhibit an attacker's ability to gain information he could use to compromise your system.

When display_errors is disabled, your developers are still able to retrieve debugging information from the appropriate PHP logs.

Restrict file uploads

Restricting all file uploads is an easy way to completely prevent attackers from exploiting your PHP configuration to inject their own PHP scripts. However, some developers will want to include the ability to upload files to your server via PHP. If you must allow file uploads, you should change the default temporary directory for file uploads using the upload_tmp_dir parameter.

Many administrators also choose to limit the maximum file size users can upload using the upload_max_filesize parameter. Setting this parameter is not intended to improve the security of your PHP configuration. Administrators choose to set this parameter to help manage the server's PHP load.

Protect sessions

Some attackers attempt to hijack sessions. This occurs when an attacker is able to steal a user's web application session and perform actions as that user. PHP uses long, randomly generated session identifiers for its URLs. While this makes session URLs exceedingly difficult to guess, the value must be stored on the filesystem. This makes it possible for an attacker to retrieve the session IDs.

Attackers may inject JavaScript into pages to steal cookies (hijack sessions). You can prevent them from doing so by setting the session.cookie_httponly parameter to On. This directive prevents JavaScript from accessing a PHP application's session cookies. If your developers require that JavaScript have access to session cookies, do not enable this option.

You may also wish to allow PHP to check HTTP referrer values. This ensures that sensitive session information passes internally during a user's session. In effect, this will prevent users from accidentally publishing sensitive session information by sharing a URL.

Disable register globals

Global variables allow a PHP script to receive and process variables without a specified source. This is dangerous because attackers would be able to overwrite configuration variables to gain access to areas of your system that would ordinarily be restricted.

Additional Documentation

To learn more about securing your PHP installation, visit our PHP documentation.