Security

[VS-03]

Hello KWWHunction user's

Well Basically i'm asking for a detailed guide on the following:

Stop user's overriding / bypassing systems php.ini

I know you have to disable: show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open, allow_url_fopen


to get secured server.

VS-03 Reviewed by VS-03 on 2nd Sep 2011. Security Hello KWWHunction user's Well Basically i'm asking for a detailed guide on the following: Stop user's overriding / bypassing systems php.ini I know you have to disable: show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open, allow_url_fopen to get secured server. Rating: 5

[kolaps]

If you really want that thing to be secure, you could use linux vservers or freebsd jails & 'lock' your users in a jail, if you install php-fpm/nginx might be fine ressources-wise...

[supportex]

If you really want to raise security of your server then you need to disable use of following php functions:

Code: 

eval, exec, passthru, shell_exec, system, proc_open, popen, parse_ini_file, show_source, getmyuid, posix_getpwuid, posix_getgrgid, fileowner|filegroup, apache_note, apache_setenv, openlog, syslog, virtual, dl, ini_alter, get_current_user, posix_uname

The same users various rights permissions with nginx + php-fpm and use php security module suhosin.
But keep in mind that some applications may not work with such restrictions, so you should carefully make changes.

[NewEraCracker]

If you really want to raise security of your server then you need to disable use of following php functions:

Code: 

eval, exec, passthru, shell_exec, system, proc_open, popen, parse_ini_file, show_source, getmyuid, posix_getpwuid, posix_getgrgid, fileowner|filegroup, apache_note, apache_setenv, openlog, syslog, virtual, dl, ini_alter, get_current_user, posix_uname

Lol?

eval - http://php.net/manual/en/function.eval.php
ini_alter - http://php.net/manual/en/function.ini-alter.php

[supportex]

Lol?

eval - http://php.net/manual/en/function.eval.php
ini_alter - http://php.net/manual/en/function.ini-alter.php

Unfortunately very often the programmers do not check the incoming data. This allows an attacker to pass on their variables to execution.
When on yours server lot of developers and you can not control quality of their code, but you need to keep security on the server. The best solution is to take hard management.

Also you can read articles "PHP / SQL Security" on acunetix.com, that will help improve security of applications.