Hardening the PHP Configuration
Configuration
This chapter provides an overview of security related PHP configuration options (PHP version 5.3).
# Information Disclosure
display_errors:
• Defines if error messages should be displayed in the web browser.
• Default: 1
• Recommendation: Off
display_startup_errors:
• Defines if errors occurring during request initialisation should be displayed or logged.
• Default: 0
• Recommendation: Off unless for debugging.
log_errors:
• Defines if errors should be logged.
• Default: 0
• Recommendation: 1, in combination with error_log defining a path outside the web root.
expose_php:
• Defines if PHP should add version information to the response‘s HTTP header.
• Default: On
• Recommendation: Off, as it is advisable to divulge as little information as possible to potential attackers.
# Resource Limits
max_execution_time:
• Sets the maximum time in seconds before the PHP script is being terminated. Time is measured in CPU time, so delays e.g. for database queries are omitted.
• Default: 30
• Recommendation: This option should be set to a value high enough to recognise only unusual execution times.
max_input_time:
• Sets the maximum time in seconds a script is allowed process input, e.g. POST, GET, file uploads.
• Default: -1 (no restriction)
• Recommendation: It may be useful to restrict the execution time, but it should be decided on a case by case basis for each application.
max_input_nesting_level:
• Sets the maximum nesting level for input variables ($_REQUEST, $_POST, $_GET, ...). This prevents the interpreter from crashing while handling too deeply nested variables.
• Default: 64
• Recommendation: The default value should be sufficient for most use cases.
memory_limit:
• Sets the maximum amount of memory in bytes a PHP script is allowed to allocate.
• Default: 128M
• Recommendation: Before changing this value the script‘s maximum memory requirement should be tested empirically and increased by 20%.
post_max_size:
• Sets the maximum size of POST data allowed.
• Default: 8M
• Recommendation: This value should match the size actually required. File uploads have to be covered by this setting as well.
upload_max_filesize:
• Sets the maximum file upload size allowed.
• Default: 2M
• Recommendation: This value should match the file size actually required.
# Features
allow_url_fopen:
• Activates URL-aware fopen() wrappers, allowing URLs to be handled like files.
• Default: On (can only be changed via php.ini)
• Recommendation: Deactivate, if possible.
allow_url_include:
• Allows URL wrappers to be used with include(), include_once(), require() and require_once().
• Default: Off
• Recommendation: Should remain deactivated for security reasons.
magic_quotes_gpc:
• Activates magic_quotes for GET/POST/COOKIE (GPC). If activated, all ' (single quotes), " (double quotes), \ (backslash) and NULLs are being escaped by \ transparently. This option will not be available in PHP 6.
• Default: 1
• Recommendation: This option should be deactivated. Instead, user input should be escaped properly and handled in a secure way when building database queries.
magic_quotes_runtime:
• Activates backslash escaping for all user input.
• Default: 0
• Recommendation: This option should remain deactivated. Instead, user input should be escaped properly and handled in a secure way when building database queries.
magic_quotes_sybase:
• Switches to escaping with a single quote instead of a backslash for magic_quotes_gpc and magic_quotes_runtime.
• Default: 0
• Recommendation: This option should remain deactivated. Instead, user input should be escaped properly and handled in a secure way when building database queries.
enable_dl:
• Allows PHP extensions to be loaded dynamically
• Default: 1
• Recommendation: Deactivate this option to prevent arbitrary code to be loaded during runtime.
disable_functions:
• Disables specified functions.
• Default: “”
• Recommendation: Potentially dangerous and unused functions should be deactivated, e.g. system().
See also: List of potentially dangerous PHP functions
disable_classes:
• Disables specified classes.
• Default: “”
• Recommendation: Potentially dangerous and unused classes should be deactivated
See also: List of potentially dangerous PHP classes
request_order:
• Defines the order in which GET, POST and COOKIE is parsed into REQUEST from left to right. Later values supersede existing ones.
• Default: <null>
• Recommendation: It is recommended to use GP to register GET and POST with REQUEST.
variables_order:
• Defines the order in which the variables ENV, GET, POST, COOKIE and SERVER are parsed. The parsing is carried out from left to right and new values overwrite old ones. If no value is set, no superglobals will be generated. If e.g. "SP" is used, $_SERVER and $_POST will be generated.
• Default: EGPCS
• Recommendation: Changing this setting is usually not necessary; however, the ENV variables are rarely used.
auto_globals_jit:
• Controls if the variables REQUEST, SERVER and ENV are only generated when they are used for the first time (JIT = Just In Time) or are generated at the start of the execution of the script.
• Default: On
• Recommendation: Unless access to these variables is done through variable variables this option can remain activated.
register_globals:
• Defines that EGPCS variables (ENV, GET, POST, COOKIE, SERVER) should additionally be registered as global variables.
• Default: Off
• Recommendation: For safety reasons this option should never be activated.
file_uploads:
• Controls if HTTP file uploads are permitted or not.
• Default: On
• Recommendation: If an application does not require HTTP file uploads, this setting should be deactivated.
filter.default:
• Selects the standard filter used for filtering $_GET, $_POST, $_COOKIE and $_REQUEST variables.
• Default: "unsafe_raw"
• Recommendation: Change only if the application is specifically designed to handle filtered values.
# Output
default_mimetype:
• Defines the default mimetype setting.
• Default: "text/html"
• Recommendation: Default value should not be changed.
default_charset:
• Defines the default character set.
• Default: <empty>
• Recommendation: The default character set should be set according to the application.
List of potentially dangerous PHP functions:
• system - Program execution
• exec - Program execution
• shell_exec - Program execution
• proc_open - Program execution
• popen - Program execution
• passthru - Program execution
• stream_socket_server – Server socket creation
• dl – Load arbitrary PHP modules
• phpinfo – Information about the server
• mail – Send email
• posix_* - Posix functions
• apache_child_terminate – Terminate apache1 process
• apache_setenv – Set apache environment variable
• virtual - Bypass safe mode
Liste von potentiell gefährlichen PHP- Klassen:
• SPLFileObject – Write access to files
# safe_mode & open_basedir
safe_mode:
• Activates PHP‘s safe mode. This will be dropped with PHP 6.
• Default: Off
• Recommendation: As required.
safe_mode_gid:
• Defines if safe_mode uses UID (false, 0) or GID (true, 1) for access checks.
• Default: Off
• Recommendation: As required.
safe_mode_include_dir:
• Defines a list of directories that are exempt from the safe_mode restrictions for the include or require statement. This allows to include a central copy of libraries. Multiple paths are separated by colons (or semicolons in Windows).
• Default: <empty>
• Recommendation: As required.
safe_mode_exec_dir:
• Defines a directory that is exempt from safe_mode restrictions. Programs within this directory are allowed to be executed by system() and similar functions.
• Default: <empty>
• Recommendation: As required.
safe_mode_allowed_env_vars:
• Defines a list of permitted prefixes for environment variables that can be used when safe_mode is activated. If this value is empty, all variables can be used.
• Default: "PHP_"
• Recommendation: As required.
safe_mode_protected_env_vars:
• Defines a list of environment variables, which cannot be set by the user with the putenv() function, even if they are permitted by the safe_mode_allowed_env_vars directive.
• Default: "LD_LIBRARY_PATH"
• Recommendation: As required.
open_basedir:
• Defines in which directories files may be opened by a script using fopen() and similar functions. The value is used as a prefix. /dir/lib would permit access to /dir/lib & /dir/library. In order to permit only one path, it must end with a slash. This option is not affected by the setting of safe_mode.
• Default: <empty> (opening of all files is permitted)
• Recommendation: This should be restricted to the document root directory.
# Session
session.save_path:
• Defines an argument that is passed to the session‘s storage handler. This is usually the path where the session data is stored.
• Default: <empty>
• Recommendation: Each application should store its session data in a separate location.
session.cookie_httponly:
• Controls if cookies are tagged with httpOnly which makes them accessible by HTTP only and not by the JavaScript. httpOnly cookies are supported by all major browser vendors and therefore can be instrumental in minimising the danger of session hijacking.
• Default: Off
• Recommendation: Should be activated.
session.cookie_secure:
• Controls if cookies are tagged as secure and should therefore be sent over SSL encrypted connections only.
• Default: Off
• Recommendation: Must be activated for SSL websites.
session.cookie_lifetime:
• Defines the maximum lifetime of a cookie in seconds.
• Default: 0 (until the browser is closed)
• Recommendation: Should be adjusted to the desired session lifetime.
Related:
Vulnerabilities & Concepts
Security Related PHP Functions
Secure programming
Hardening the PHP Configuration
