PHP is the language of three of the four CMSs spotlighted in this book. Joomla!, Drupal, and WordPress are written in PHP.
PHP is an interpreted language, meaning that the commands are acted upon by a command-line processor added to the web server. This PHP processor module will generate a traditional web page from the commands. PHP has been around since 1994 and has a very actively maintained code base.
Securing PHP is important not only for your server and data, but also for others on the Internet. Running an older, insecure version of PHP is just the same as running a vulnerable server. Fortunately, you can secure PHP fairly easily.
This section covers various security tools and processes, as well as a little about the php.ini configuration file.
suPHP
One of the first items of business is to determine (if you do not know) what the baseline of your PHP software is. Ideally, you want to be running suPHP, which is a tool that forces PHP scripts (like your CMS) to be executed with the permissions of their owners.
suPHP is a great tool to use to ensure that you are running PHP in a very secure fashion. If you are using a managed virtual private server (VPS) or dedicated server at a hosting company, a quick telephone call to the support staff can help you establish if you are running it.
The next method is to try to set folder permissions to 777. If you're running suPHP, you'll get a 500
Internal Error when you browse.
phpinfo
PHP has a great method for examining the entirety of the settings. Using the phpinfo function provides a useful tool to have in your toolkit.
The steps listed here to execute the phpinfo function are very easy to follow, and the end results are invaluable:
1. Create a text file in the root directory and name it phpinfo.php. In that file, insert the following:
<?php phpinfo(); ?>
2. Save the file and ensure that the permissions are set for 644. 3. From your browser type the following:
http://www.yourdomain.com/phpinfo.php
A lot of information about your server and its environmental settings appears. Near the top of the screen, you should see an entry that resembles Figure 5.10.
Figure 5.10 suPHP installed
If you see Apache in place of the words CGI/FastCGI, then you likely do not have suPHP installed.
PHP has many settings that can be tricky to catch. Fortunately, a free and open source tool is available that will give you a good evaluation of your settings, as discussed in the following section.
PhpSecInfo
The PhpSecInfo tool, from a group of international experts in PHP security, the PHP Security Consortium (PHPSC), is built to evaluate your servers' setup and ensure that you have all the PHP holes closed. You can get the tool by visiting http://phpsec.org/projects/phpsecinfo/.
When run on your server, this tool will test for a number of issues that could affect your security. Figure 5.11 shows an example of one such warning.
Figure 5.11 Warning produced by PhpSecInfo tool
This warning appears in red. The various warnings and errors are color-coded.
This particular error is telling you that the force_redirect directive is disabled. Note the “More information” link on the lower right, which provides you with a detailed explanation of this warning.
At the bottom of the report is the Test Results Summary, as shown in Figure 5.12. It states that 18 tests were run and 10 notices, meaning they need attention. It produced 2 items marked as severe.
Figure 5.12 Test Results Summary
You should run this tool regardless of how long your server has been in production. You might find that you have a number of holes. Be sure to run it after any upgrade, or after any incidents that occur.
php.ini
When you're using suPHP, you can find a file in the root of most websites called php.ini. This file allows you to issue commands to the PHP Interpreter. As was previously stated, you can use this file in place of the /etc/php.ini file. Check with your host to ensure the server is running suPHP.
Using WinSCP, locate the /etc/php.ini file. If this file does not exist in this directory, it can and may exist in your public_html website directory.
Read through the phpinfo.php file and determine whether you need to update or change any settings for your particular situation. Items that may need to be adjusted are things like memory size, because the default in modern implementations of PHP is 128MB. This means that a script could ask for and use that much memory. Other settings, such as execution time, can help prevent your server from crashing if a PHP script has a bug and runs too long.
In essence, you can fine-tune your PHP server through this helpful file. Make the following changes:
Turn off PHP error messages to external users. This prevents malicious users from exploiting possible vulnerabilities in code on your website. Add the following entry to your php.ini file:
display_errors = Off
Prevent PHP scripts from running shells and other evils by inserting the following:
safe_mode = On
Only allow access to executable files in an isolated directory by using the following:
safe_mode_exec_dir = php-required-executables-path
Limit external access to PHP environment by inserting the following:
safe_mode_allowed_env_vars = PHP_
PHP can provide a great deal of information to hackers through information leakage. Restricting PHP from giving out too much information is important, so insert this:
expose_php = Off
Because you have suppressed the errors, you should log all errors with the following entry:
log_errors = On
The Register_Globals directive has been rendered useless as of PHP 5.3.0. However, if you are running anything less than that version, you are should set it as follows:
register_globals = Off
POST is used to gather inputs from a form and submit them to the application. By minimizing the size of
POST, you are lowering the risk of an evil payload being uploaded. This recommendation is just that, a recommendation. You should test it with your data set and needs. If you find it to be too restrictive, raise the size of the POST upload size and repeat the test. Minimize the allowed PHP POST size with the following:
post_max_size = 2M
Ensure PHP redirects appropriately by inserting the following:
cgi.force_redirect = 0
If you allow file uploading to your site, consider the maximum size of files you'll accept. For example, if you are going to allow very large or very small files, you'll need to adjust the directive.
The default is 2MB. To change this size, set the following directive:
upload_max_filesize memory
-Change memory to a number in megabytes to match your needs. Remember that the larger the upload, the larger the evil payload that potentially could be uploaded.
Change the following to prevent uploads to your site:
file_uploads = Off
Prevent file requests (such as attempts to open files) with the following:
allow_url_fopen = Off
Note
For a full list of all the directives of php.ini, see http://php.net/manual/en/ini.core.php.