25 php security best practices for sysadmins

7/25/2019 25 PHP Security Best Practices for SysAdmins

1/28

Linux: 25 PHP Security Best Practices For Sys

Admins

by Vivek Gite on November 23, 2011last updated March 28, 2016

inphp,RedHat/edora !in"#,$ec"rity,$y% admin, &"nin'

(H( i% an open)%o"rce %erver)%ide %criptin' *an'"a'e, and it i% a +ide*y "%ed &he -pache/N'in#/!i'httpd

+eb %erver provide% acce%% to .i*e% and content via the H&&( R H&&($ protoco* - mi%con.i'"red %erver)

%ide %criptin' *an'"a'e can create a** %ort% o. prob*em% $o, (H( %ho"*d be "%ed +ith ca"tion Here are

t+enty).ive php %ec"rity be%t practice% .or %y%admin% .or con.i'"rin' (H( %ec"re*y

Our Sample Setup For PHP Security Tips

oc"mentRoot /var/+++/htm*

e.a"*t eb %erver -pache yo" can "%e !i'httpdorN'in#in%tead o. -pache4

e.a"*t (H( con.i'"ration .i*e /etc/phpini

e.a"*t (H( e#ten%ion% con.i' directory /etc/phpd/

"r %amp*e php %ec"rity con.i' .i*e /etc/phpd/securityini yo" need to create thi% .i*e "%in' a te#t

editor4

peratin' %y%tem% RH5!/ ent$/ edora !in"# the in%tr"ction% %ho"*d +ork +ith any other

Linux distributions%"ch a% ebian/ 7b"nt"or other Unix*ike operatin' %y%tem% %"ch a%

pen$/ree$/H()794

e.a"*t (H( %erver &(/7( port% none

Mo%t o. the action% *i%ted in thi% po%t are +ritten +ith the a%%"mption that they +i** be e#ec"ted by the root

"%er r"nnin' the ba%h or any other modern %he**$ php -v

$amp*e o"tp"t%

PHP 5.3.3 (cli) (built: Oct 24 2011 08:35:41)

Copyright (c) 1!-2010 "h# PHP roup%#&' &gi v2.3.0 Copyright (c) 18-2010 %#&' "#ch&ologi#*
http://www.cyberciti.biz/tips/category/phphttp://www.cyberciti.biz/tips/category/redhatfedora-linuxhttp://www.cyberciti.biz/tips/category/redhatfedora-linuxhttp://www.cyberciti.biz/tips/category/securityhttp://www.cyberciti.biz/tips/category/securityhttp://www.cyberciti.biz/tips/category/sys-adminhttp://www.cyberciti.biz/tips/category/sys-adminhttp://www.cyberciti.biz/tips/category/tuninghttp://www.cyberciti.biz/tips/category/redhatfedora-linuxhttp://www.cyberciti.biz/tips/category/securityhttp://www.cyberciti.biz/tips/category/sys-adminhttp://www.cyberciti.biz/tips/category/tuninghttp://www.cyberciti.biz/tips/category/php


2/28

or demon%tration p"rpo%e :;m 'oin' to "%e the .o**o+in' operatin' %y%tem$ c+t ,#tc,r#'h+t-r#l#+*#

$amp*e o"tp"t%

#' H+t &t#rpri*# i&u/ #rv#r r#l#+*# .1 (+&ti+go)

!": #no$ %our &nemy

(H( ba%ed app% can .ace the di..erent type% o. attack% : have noticed the di..erent type% o. attack%

1 9$$< ro%%)%ite %criptin' i% a v"*nerabi*ity in php +eb app*ication%, +hich attacker% may e#p*oit to

%tea* "%er%; in.ormation =o" can con.i'"re -pache and +rite more %ec"re (H( %cript% va*idatin' a**

"%er inp"t4 to avoid #%% attack%

2 $>! in?ection< :t i% a v"*nerabi*ity in the databa%e *ayer o. an php app*ication hen "%er inp"t i%

incorrect*y .i*tered any $>! %tatement% can be e#ec"ted by the app*ication =o" can con.i'"re

-pache and +rite %ec"re code va*idatin' and e%capin' a** "%er inp"t4 to avoid $>! in?ection attack%

- common practice in (H( i% to e%cape parameter% "%in' the ."nction ca**ed

mys'l(real(escape(strin)*+ be.ore %endin' the $>! @"ery$poo.in'

3 i*e "p*oad% < :t a**o+% yo"r vi%itor to p*ace .i*e% "p*oad .i*e%4 on yo"r %erver &hi% can re%"*t into

vario"% %ec"rity prob*em% %"ch a% de*ete yo"r .i*e%, de*ete databa%e, 'et "%er detai*% and m"ch more

=o" can di%ab*e .i*e "p*oad% "%in' php or +rite %ec"re code *ike va*idatin' "%er inp"t and on*y a**o+

ima'e .i*e type %"ch a% pn' or 'i.4

A :nc*"din' *oca* and remote .i*e% < -n attacker can open .i*e% .rom remote %erver and e#ec"te any

(H( code &hi% a**o+% them to "p*oad .i*e, de*ete .i*e and in%ta** backdoor% =o" can con.i'"re php

to di%ab*e remote .i*e e#ec"tion

B eva*4< 5va*"ate a %trin' a% (H( code &hi% i% o.ten "%ed by an attacker to hide their code and too*%

on the %erver it%e*. =o" can con.i'"re php to di%ab*e eva*4

6 $ea)%"r. -ttackro%%)%ite re@"e%t .or'ery < $R4 < &hi% attack .orce% an end "%er to e#ec"te

"n+anted action% on a +eb app*ication in +hich he/%he i% c"rrent*y a"thenticated - %"cce%%."* $R

e#p*oit can compromi%e end "%er data and operation in ca%e o. norma* "%er :. the tar'eted end "%er i%

the admini%trator acco"nt, thi% can compromi%e the entire +eb app*ication

!2: Find Built,in PHP -odules

&o %ee the %et o. compi*ed)in (H( mod"*e% type the .o**o+in' command php -

$amp*e o"tp"t%

PHP o'ul#*6+pcbc+thb72c+l#&'+rCor#ctyp#curl'+t#'o#r#g#/iil#i&o
http://en.wikipedia.org/wiki/Cross-site_scriptinghttp://en.wikipedia.org/wiki/SQL_injectionhttp://en.wikipedia.org/wiki/SQL_injectionhttp://php.net/evalhttp://yehg.net/lab/pr0js/view.php/A_Most-Neglected_Fact_About_CSRF.pdfhttp://yehg.net/lab/pr0js/view.php/A_Most-Neglected_Fact_About_CSRF.pdfhttp://en.wikipedia.org/wiki/Cross-site_scriptinghttp://en.wikipedia.org/wiki/SQL_injectionhttp://php.net/evalhttp://yehg.net/lab/pr0js/view.php/A_Most-Neglected_Fact_About_CSRF.pdf


3/28

ilt#rtpg'g#tt#/tgph+*hico&vi+p9*o&

lib/lb*tri&g#c+ch#y*ly*liop#&**lpc&tlpcr#P;Op'o#t*P*lit#3*t+&'+r'*uho*i&to>#&i7#r?''//l/lr#+'#r/lrpc/l?rit#r/*l7ip7lib%#&' o'ul#*6uho*i&

: recommend% that yo" "%e (H( +ith a red"ced mod"*e% .or per.ormance and %ec"rity or e#amp*e, yo" can

di%ab*e %@*ite3 mod"*e by de*etin' removin'4 con.i'"ration .i*e ,R renamin' movin'4 a .i*eca**ed

/etc/phpd/%@*ite3ini a% .o**o+% r,#tc,php.',*lit#3.i&i

R v,#tc,php.',*lit#3.i&i ,#tc,php.',*lit#3.'i*+bl#

ther compi*ed)in mod"*e% can on*y be removed by rein%ta**atin' (H( +ith a red"ced con.i'"ration =o"

can do+n*oad php %o"rce code .rom phpnet and compi*e it a% .o**o+% +ith G, .a%tc'i, and My$>!

%"pport

.,co&igur# --?ith-lib'ir@lib4 --?ith-g' --?ith-y*l --pr#i/@,u*r --#/#c-pr#i/@,u*rA--bi&'ir@,u*r,bi& --*bi&'ir@,u*r,*bi& --*y*co&'ir@,#tc --'+t+'ir@,u*r,*h+r# A--i&clu'#'ir@,u*r,i&clu'# --lib#/#c'ir@,u*r,lib#/#c --loc+l*t+t#'ir@,v+r A--*h+r#'*t+t#'ir@,u*r,co --+&'ir@,u*r,*h+r#,+& --i&o'ir@,u*r,*h+r#,i&o A--c+ch#-il#@..,co&ig.c+ch# --?ith-co&ig-il#-p+th@,#tc A--?ith-co&ig-il#-*c+&-'ir@,#tc,php.' --#&+bl#-+*tcgi A

--#&+bl#-orc#-cgi-r#'ir#ct

$ee ho+ to compi*e and rein%ta** php on 7ni# *ike operatin' %y%tem.or more in.ormation
http://www.cyberciti.biz/faq/howto-linux-unix-delete-remove-file/http://www.cyberciti.biz/faq/howto-linux-unix-delete-remove-file/http://www.cyberciti.biz/faq/unix-mv-command-examples/http://www.cyberciti.biz/faq/unix-mv-command-examples/http://www.cyberciti.biz/faq/howto-linux-unix-delete-remove-file/http://www.cyberciti.biz/faq/unix-mv-command-examples/http://www.php.net/manual/en/install.unix.phphttp://www.cyberciti.biz/faq/howto-linux-unix-delete-remove-file/http://www.cyberciti.biz/faq/unix-mv-command-examples/http://www.cyberciti.biz/faq/howto-linux-unix-delete-remove-file/http://www.cyberciti.biz/faq/unix-mv-command-examples/http://www.php.net/manual/en/install.unix.php


4/28

!.: estrict PHP 0n1ormation Leaa)e

&o re%trict (H( in.ormation *eaka'e di%ab*e e#po%eCphp 5dit /etc/phpd/%ec"tityini and %et the .o**o+in'

directive

#/po*#i#E*tri&g-

co&t+i&*@?i>i"o>#&E*tri&g-co&t+i&*@?i>iogg#'OutE*tri&g-co&t+i&*@?i>i


5/28

il#


6/28

M;ir#ctory ,v+r,???,htlN Miit/c#pt " PO"N Or'#r +llo?'#&y M,iit/c#ptN I'' r#*t o th# co&ig go#* h#r#... M,;ir#ctoryN

!">: esource ontrol *6oS ontrol+

=o" can %etma#im"m e#ec"tion time o. each php %cript, in %econd% -nother recommend option i% to %et

ma#im"m amo"nt o. time each %cript may %pend par%in' re@"e%t data, and ma#im"m amo"nt o. memory a

%cript may con%"me 5dit /etc/phpd/%ec"rityini and %et the .o**o+in' directive%

*#t i& *#co&'*+/


7/28

manip"*ate %y%tem .i*e% =o" m"%t e#ec"te (H( G:% a% a non)privi*e'ed "%er "%in' -pache;% %"595or

modC%"(H( &he %"595 .eat"re provide% -pache "%er% the abi*ity to r"n G: pro'ram% "nder "%er :%

di..erent .rom the "%er : o. the ca**in' +eb %erver :n thi% e#amp*e, my php)c'i i% r"nnin' a% phpc'i "%er

and apache i% r"nnin' a% apache "%er p* +u/ gr#p php-cgi

$amp*e o"tp"t%

phpcgi 012 0.0 0.4 22503 0140 Jov22 0:12 ,u*r,bi&,php-cgi

phpcgi 054 0.0 0.5 2228 2820 Jov22 0:11 ,u*r,bi&,php-cgiphpcgi 055 0.1 0.4 22444 5320 Jov22 0:18 ,u*r,bi&,php-cgiphpcgi 085 0.0 0.4 22480 548 Jov22 0:11 ,u*r,bi&,php-cgiphpcgi 103 0.0 0.4 22454 5!5 Jov22 0:11 ,u*r,bi&,php-cgiphpcgi 815 0.4 0.5 22855 1220 00:52 0:1 ,u*r,bi&,php-cgiphpcgi 821 0.3 0.5 228008 1252 00:55 0:12 ,u*r,bi&,php-cgiphpcgi 823 0.3 0.4 22553 5853 00:5! 0:13 ,u*r,bi&,php-cgi

=o" can "%e too* %"ch a% %pa+n).c'ito %pa+n remote and *oca* a%tG: proce%%e% a% phpc'i "%er .ir%t, add

phpc'i "%er to the %y%tem4 *p+?&-cgi -+ 12!.0.0.1 -p 000 -u phpcgi -g phpcgi - ,u*r,bi&,php-cgi

No+, yo" can con.i'"re -pache, !i'httpd,andN'in#+eb %erver to "%e e#terna* php a%tG: r"nnin' on

port J000 at 12K001 :( addre%%

!"5 Limit PHP Access To File System

&he openCba%edir directive %et the directorie% .rom +hich (H( i% a**o+ed to acce%% .i*e% "%in' ."nction% *ike

.open4, and other% :. a .i*e i% o"t%ide o. the path% de.ined by openCba%dir, (H( +i** re."%e to open it =o"

cannot "%e a %ymbo*ic *ink a% a +orkaro"nd or e#amp*e on*y a**o+ acce%% to /var/+++/htm* directory and

not to /var/+++, or /tmp or /etc directorie%

; %i&its the PHP process fro& accessing files outside; of specifically designated directories such as #var#'''#ht&l#

op#&


8/28

!"9 #eep PHP So1t$are And OS 8p to 6ate

-pp*yin' %ec"rity patche% i% an important part o. maintainin' !in"#, -pache, (H(, and My$>! %erver -**

php %ec"rity "pdate %ho"*d be revie+ed and app*ied a% %oon a% po%%ib*e "%in' any one o. the .o**o+in' too*

i. yo";re in%ta**in' (H( via a packa'e mana'er4 yu up'+t#

R +pt-g#t up'+t# RR +pt-g#t upgr+'#

=o" can con.i'"re Red hat / ent$ / edora !in"# to %end y"m packa'e "pdate noti.ication via emai*

-nother option i% to app*y a** %ec"rity "pdate%via a cron ?ob7nder ebian / 7b"nt" !in"# yo" can"%e

apticron to %end %ec"ritynoti.ication%

Note heckphpnet.or the mo%t recent re*ea%e .or %o"rce code in%ta**ation%

!";: estrict File and 6irectory Access

Make %"re yo" r"n -pache a% a non)root "%er %"ch a% -pache or +++ -** .i*e% and directory %ho"*d be

o+ned by non)root "%er or apache "%er4 "nder /var/+++/htm* cho?& - +p+ch#:+p+ch# ,v+r,???,htl,

/var/+++/htm*/ i% a %"bdirectory and oc"mentRoot +hich i% modi.iab*e by other "%er% %ince root never

e#ec"te% any .i*e% o"t o. there, and %ho"*dn;t be creatin' .i*e% in there

Make %"re .i*e permi%%ion% are %et to 0AAA read)on*y4 "nder /var/+++/htm*/ cho' - 0444 ,v+r,???,htl,

Make %"re a** directorie% permi%%ion% are %et to 0AAB "nder /var/+++/htm*/ i&' ,v+r,???,htl, -typ# ' -pri&t0 /+rg* -0 -B KL cho' 0445 KL

A Cote Aout Settin) 8p orrect File Permissions

&he cho+n and chmod command make %"re% that "nder no circ"m%tance% oc"mentRoot or .i*e% containedin oc"mentRoot are +ritab*e by the eb %erver "%er apache (*ea%e note that yo" need to %et permi%%ion%

that make% the mo%t %en%e .or the deve*opment mode* o. yo"r +eb%ite, %o .ee* .ree to ad?"%t the cho+n and

chmod command a% per yo"r re@"irement% :n thi% e#amp*e, the -pache %erver r"n a% apache "%er &hi% i%

con.i'"red +ith the Userand Groupdirective% in yo"r httpdcon. .i*e &he apache "%er need% to have read

acce%% to everythin' "nder oc"mentRoot b"t %ho"*d not have +rite acce%% to anythin'

Make %"re httpdcon. ha% the .o**o+in' directive% .or re%trictive con.i'"ration

M;ir#ctory , N Optio&* Jo

Illo?Ov#rri'# Jo Or'#r +llo?'#&yM,;ir#ctoryN

=o" %ho"*d on*y 'rant +rite acce%% +hen re@"ired $ome +eb app*ication% %"ch a% +ordpre%% and other%

may need a cachin' directory =o" can 'rant a +rite acce%% to cachin' directory "%in' the .o**o+in'

command% cho' +S? ,v+r,???,htl,blog,?p-co&t#&t,c+ch# bloc> +cc#** to +ll #cho T'#&y ro +llT N ,v+r,???,htl,blog,?p-co&t#&t,c+ch#,.ht+cc#**

!"=: Drite Protect Apache PHP and -yS


9/28

ch+ttr Si ,#tc,y.i&i ch+ttr Si ,#tc,http',co&,http'.co& ch+ttr Si ,#tc,

&he chattr command can +rite protect yo"r php .i*e or .i*e% in /var/+++/htm* directory too ch+ttr Si ,v+r,???,htl,il#1.php ch+ttr Si ,v+r,???,htl,

!2>: 8se Linux Security &xtensions *such as S&Linux+!in"# come% +ith vario"% %ec"rity patche% +hich can be "%ed to '"ard a'ain%t mi%con.i'"red or

compromi%ed %erver pro'ram% :. po%%ib*e "%e $5!in"#and other !in"# %ec"rity e#ten%ion%to en.orce

*imitation% on net+ork and other pro'ram% or e#amp*e, $5!in"# provide% a variety o. %ec"rity po*icie% .or

!in"# kerne* and -pache +eb %erver &o *i%t a** -pache $5!in"# protection variab*e%, enter g#t*#bool -+ gr#p http'

$amp*e o"tp"t%

+llo?


10/28

!22 un Apache / PHP 0n a hroot Eail 01 Possile

("ttin' (H( and/or -pache in a chroot ?ai* minimiFe% the dama'e done by a potentia* break)in by i%o*atin'

the +eb %erver to a %ma** %ection o. the .i*e%y%tem =o" can "%e traditiona*chroot kind o. %et"p +ith -pache

Ho+ever, : recommend ree$ ?ai*%, 95N virt"*iFation, VM virt"*iFation, or penVL virt"a*iFation

+hich "%e% the concept o. container%

!2. 8se Fire$all To estrict Out)oin) onnections

&he attacker +i** do+n*oad .i*e *oca**y on yo"r +eb)%erver "%in' too*% %"ch a% +'et 7%e iptab*e% to b*ock

o"t'oin' connection% .rom apache "%er &he iptCo+ner mod"*e attempt% to match vario"% characteri%tic% o.

the packet creator, .or *oca**y 'enerated packet% :t i% on*y va*id in the 7&(7& chain :n thi% e#amp*e,

a**o+ vivek "%er to connect o"t%ide "%in' port 80 "%e."* .or RHN or cento% repo acce%%4

/*bi&/ipt+bl#* -IOF"PF" -o#th0 -o?r --ui'-o?rviv#> -ptcp --'port80 -*t+t#--*t+t#JW"IDBH; -9ICCP"

Here i% another e#amp*e that b*ock% a** o"t'oin' connection% .rom apache "%er e#cept to o"r o+n %mtp

%erver, and %pam va*idation -(: %ervice

..../*bi&/ipt+bl#* --?-ch+i&+p+ch#


11/28

,,,,,,,,,,,,,,,, BP,out#r ,,,,,,,,,,,,,,, A Gir#?+ll A S------------S

D01 S------------S S--------------------------S *t+tic.l+&.cyb#rciti.bi7

S-----------------S--------------------------S phpcgi1.l+&.cyb#rciti.bi7 S--------------------------S phpcgi2.l+&.cyb#rciti.bi7 S--------------------------S y*l1.l+&.cyb#rciti.bi7 S--------------------------S c+ch#1.l+&.cyb#rciti.bi7 S--------------------------S

i'01 R"nnin' $ervice% n $eparate $erver%4

R"n di..erent net+ork %ervice% on %eparate %erver% or VM in%tance% &hi% *imit% the n"mber o. other %ervice%

that can be compromi%ed or e#amp*e, i. an attacker ab*e to %"cce%%."**y e#p*oit a %o.t+are %"ch a% -pache

.*o+, he / %he +i** 'et an acce%% to entire %erver inc*"din' other %ervice% r"nnin' on the %ame %erver %"ch a%

My$>!, e)mai* %erver and %o on4 "t, in the above e#amp*e content are %erved a% .o**o+%

1 staticlancyercitii4< 7%e *i'httpd or n'in# %erver .or %tatic a%%et% %"ch a% ?%/c%%/ima'e%

2 phpc)i"lancyercitii4and phpc)i2lancyercitii4< -pache +eb)%erver +ith php "%ed .or

'eneratin' dynamic content

3 mys'l"lancyercitii4< My$>! databa%e %erver

A mcache"lancyercitii4< Memcached %erver i% very .a%t cachin' %y%tem .or My$>! :t "%e%

*ibevent or epo** !in"# r"ntime4 to %ca*e to any n"mber o. open connection% and "%e% non)b*ockin'

net+ork :/

B LB>"< - n'in# +eb and rever%e pro#y %erver in .ront o. -pache eb %erver% -** connection%

comin' .rom the :nternet addre%%ed to one o. the eb %erver% are ro"ted thro"'h the n'in# pro#y

%erver, +hich may either dea* +ith the re@"e%t it%e*. or pa%% the re@"e%t +ho**y or partia**y to the

main +eb %erver% !01 provide% %imp*e *oad)ba*ancin'

!27 Additional Tools

rom thepro?ect pa'e

(H(:$ (H():ntr"%ion etection $y%tem4 i% a %imp*e to "%e, +e** %tr"ct"red, .a%t and %tate)o.)the)art

%ec"rity *ayer .or yo"r (H( ba%ed +eb app*ication &he :$ neither %trip%, %anitiFe% nor .i*ter% any ma*icio"%

inp"t, it %imp*y reco'niFe% +hen an attacker trie% to break yo"r %ite and react% in e#act*y the +ay yo" +ant it

to

=o" can "%e (H(:$ to detect ma*icio"% "%er%, and *o' any attack% detected .or *ater revie+ (*ea%e note that:;ve per%ona**y not "%ed thi% too*

rom thepro?ect pa'e
https://phpids.org/http://phpsec.org/projects/phpsecinfo/index.htmlhttps://phpids.org/http://phpsec.org/projects/phpsecinfo/index.html


12/28

(hp$ec:n.o provide% an e@"iva*ent to the phpin.o4 ."nction that report% %ec"rity in.ormation abo"t the (H(

environment, and o..er% %"''e%tion% .or improvement :t i% not a rep*acement .or %ec"re deve*opment

techni@"e%, and doe% not do any kind o. code or app a"ditin', b"t can be a "%e."* too* in a m"*ti*ayered

%ec"rity approach

i'01 $ec"rity :n.ormation -bo"t (H( -pp*ication

$ee !in"# %ec"rity hardenin' tip%+hich can red"ce avai*ab*e vector% o. attack on the %y%tem

A Cote Aout PHP Bacdoors
http://www.cyberciti.biz/tips/linux-security.htmlhttp://www.cyberciti.biz/tips/linux-security.htmlhttp://www.cyberciti.biz/tips/linux-security.html


13/28

=o" may come acro%% php %cript% or %o ca**ed common backdoor% %"ch a% cJJ, cJJmad%he**, rBK and %o on

- backdoor php %cript i% nothin' b"t a hidden %cript .or bypa%%in' a** a"thentication and acce%% yo"r %erver

on demand :t i% in%ta**ed by an attacker% to acce%% yo"r %erver +hi*e attemptin' to remain "ndetected

&ypica**y a (H( or any other G: %cript4 %cript by mi%take a**o+% inc*"%ion o. code e#p*oitin'

v"*nerabi*itie% in the +eb bro+%er -n attacker can "%e %"ch e#p*oitin' v"*nerabi*itie% to "p*oad backdoor

%he**% +hich can 'ive him or her a n"mber o. capabi*itie% %"ch a%

o+n*oad .i*e%

7p*oad .i*e%

:n%ta** rootkit%

$et a %pam mai* %erver% / re*ay %erver

$et a pro#y %erver to hide track%

&ake contro* o. %erver

&ake contro* o. databa%e %erver

$tea* a** in.ormation

e*ete a** in.ormation and databa%e

pen &( / 7( port% and m"ch more

Tip: Ho$ 6o 0 Search PHP Bacdoors

7%e 7ni# / !in"# 'rep commandto %earch cJJ or rBK %he** gr#p -i TcT ,v+r,???,htl, gr#p -i Tr5!T ,v+r,???,htl, i&' ,v+r,???,htl, -&+# AU.php -typ# -pri&t0 /+rg* -0 gr#p c gr#p -P& Q(p+**thru*h#ll


14/28

ecommended readin)s:

1 (H( $ec"rity G"ide &hi% '"ide aim% to .ami*iari%e yo" +ith %ome o. the ba%ic concept% o. on*ine

%ec"rity and teach yo" ho+ to $rite more secure PHP scripts :t;% aimed %@"are*y at be'inner%, b"t

: hope that it %ti** ha% %omethin' to o..er more advanced "%er%

2 5%%entia* (H( $ec"ritykind*eedition4 - book abo"t +eb app*ication %ec"rity +ritten %peci.ica**y

.or (H( deve*oper% :t cover% 30 o. the mo%t common and dan'ero"% e#p*oit% a% +e** a% %imp*e and

e..ective %a.e'"ard% that protect yo"r (H( app*ication%

3 $>! :n?ection -ttack% and e.en%e&hi% book cover% %@* in?ection and +eb)re*ated attack% :t

e#p*ain% $>! in?ection Ho+ to .ind, con.irm, and a"tomate $>! in?ection di%covery :t ha% tip% and

trick% .or .indin' $>! in?ection +ithin the code =o" can create e#p*oit% "%in' $>! in?ection and

de%i'n to avoid the dan'er% o. the%e attack%

(*ea%e add yo"r .avorite php %ec"rity too* or tip in the comment%

7pdated .or acc"racy

Share this on:

&+itteracebookGoo'*eIo+n*oad ( ver%ion o"nd an error/typo on thi% pa'e

-bo"t the a"thor Vivek Gite i% a %ea%oned %y%admin and a trainer .or the !in"#/7ni# O %he** %criptin'

o**o+ him on T$itter R read more lie this

Ho+to -pache addin' ne+ mod"*e%

Ho+&o on.i'"re -pache eb $erver &o 7%e N$ $hared H&M!I(H(B i*e%

Red Hat / ent$ hroot -pache 2 eb $erver

-pache2 modC.a%tc'i onnect to 5#terna* (H( via 7N:9 $ocket or &(/:( (ort

!in"# reatin' a Net+ork i*e $y%tem N$4 $hare or -pache / !i'httpd /P

-pache $ec"rity &ip $erve php / c'i .i*e "%in' di..erent .i*e type /P

on.i'"re !i'httpd eb $erver &o 7%e N$ $hared $tatic i*e%

here doe% -pache %erver %tore it% con.i'"ration .i*e%

an %omeone %tea* my (H( %cript +itho"t hackin' %erver

7*timate !i'httpd +eb%erver %ec"rity

Q 6A comment%P add one

(eter Mo*narNovember 23, 2011, 622 am

=o" .or'et one o. the mo%t po+er."* tip% openCba%edir :n thi% ca%e, "%in' /var/+++ i% not the be%t

%o*"tion, it +o"*d be better a%/var/+++/+eb%ite1

and

/var/+++/+eb%ite1/+++

/var/+++/+eb%ite1/tmp
http://php.robm.me.uk/http://www.amazon.com/gp/product/059600656X/ref=as_li_ss_tl?ie=UTF8&tag=cyberciti-20&linkCode=as2&camp=217145&creative=399369&creativeASIN=059600656Xhttp://www.amazon.com/gp/product/B0026OR358/ref=as_li_ss_tl?ie=UTF8&tag=cyberciti-20&linkCode=as2&camp=217145&creative=399373&creativeASIN=B0026OR358http://www.amazon.com/gp/product/1597494240/ref=as_li_ss_tl?ie=UTF8&tag=cyberciti-20&linkCode=as2&camp=217145&creative=399373&creativeASIN=1597494240https://twitter.com/intent/tweet?text=Linux%3A+25+PHP+Security+Best+Practices+For+Sys+Admins&url=http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html&via=nixcrafthttps://www.facebook.com/sharer/sharer.php?u=http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.htmlhttps://plus.google.com/share?url=http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.htmlhttp://www.cyberciti.biz/view/pdf/tips/8173.phphttps://nixcraft.wufoo.com/forms/give-us-feedback-for-nixcraft/def/Field209=http:/www.cyberciti.biz/tips/php-security-best-practices-tutorial.html&Field211=Linux:%2025%20PHP%20Security%20Best%20Practices%20For%20Sys%20Adminshttps://twitter.com/nixcrafthttp://www.cyberciti.biz/tips/howto-apache-adding-new-modules.htmlhttp://www.cyberciti.biz/tips/how-to-configure-apache-web-server.htmlhttp://www.cyberciti.biz/tips/chroot-apache-under-rhel-fedora-centos-linux.htmlhttp://www.cyberciti.biz/tips/rhel-fedora-centos-apache2-external-php-spawn.htmlhttp://www.cyberciti.biz/tips/linux-nfs-storage-for-apache-lighttpd-nginx-webserver.htmlhttp://www.cyberciti.biz/tips/serve-html-files-as-php-files.htmlhttp://www.cyberciti.biz/tips/how-to-configure-lighttpd-web-server.htmlhttp://www.cyberciti.biz/tips/where-does-apache-server-store-its-configuration-files.htmlhttp://www.cyberciti.biz/tips/php-script-downloaded-as-source-code.htmlhttp://www.cyberciti.biz/tips/ultimate-lighttpd-webserver-security.htmlhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#commentformhttp://petermolnar.eu/http://php.robm.me.uk/http://www.amazon.com/gp/product/059600656X/ref=as_li_ss_tl?ie=UTF8&tag=cyberciti-20&linkCode=as2&camp=217145&creative=399369&creativeASIN=059600656Xhttp://www.amazon.com/gp/product/B0026OR358/ref=as_li_ss_tl?ie=UTF8&tag=cyberciti-20&linkCode=as2&camp=217145&creative=399373&creativeASIN=B0026OR358http://www.amazon.com/gp/product/1597494240/ref=as_li_ss_tl?ie=UTF8&tag=cyberciti-20&linkCode=as2&camp=217145&creative=399373&creativeASIN=1597494240https://twitter.com/intent/tweet?text=Linux%3A+25+PHP+Security+Best+Practices+For+Sys+Admins&url=http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html&via=nixcrafthttps://www.facebook.com/sharer/sharer.php?u=http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.htmlhttps://plus.google.com/share?url=http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.htmlhttp://www.cyberciti.biz/view/pdf/tips/8173.phphttps://nixcraft.wufoo.com/forms/give-us-feedback-for-nixcraft/def/Field209=http:/www.cyberciti.biz/tips/php-security-best-practices-tutorial.html&Field211=Linux:%2025%20PHP%20Security%20Best%20Practices%20For%20Sys%20Adminshttps://twitter.com/nixcrafthttp://www.cyberciti.biz/tips/howto-apache-adding-new-modules.htmlhttp://www.cyberciti.biz/tips/how-to-configure-apache-web-server.htmlhttp://www.cyberciti.biz/tips/chroot-apache-under-rhel-fedora-centos-linux.htmlhttp://www.cyberciti.biz/tips/rhel-fedora-centos-apache2-external-php-spawn.htmlhttp://www.cyberciti.biz/tips/linux-nfs-storage-for-apache-lighttpd-nginx-webserver.htmlhttp://www.cyberciti.biz/tips/serve-html-files-as-php-files.htmlhttp://www.cyberciti.biz/tips/how-to-configure-lighttpd-web-server.htmlhttp://www.cyberciti.biz/tips/where-does-apache-server-store-its-configuration-files.htmlhttp://www.cyberciti.biz/tips/php-script-downloaded-as-source-code.htmlhttp://www.cyberciti.biz/tips/ultimate-lighttpd-webserver-security.htmlhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#commentformhttp://petermolnar.eu/


15/28

:nto apache con.i'

phpCadminCva*"e openCba%edir /var/+++/+eb%ite1

phpCadminCva*"e "p*oadCtmpCdir /var/+++/+eb%ite1/tmp

$o no (H( e#ec"tion o"t%ide the /var/+++/+eb%ite1 directory

Rep*y!ink

o ni#ra.tNovember 23, 2011, 101A am

Heh, yo" read the po%t be.ore it +a% .ini%hed :t +a% my .a"*t : accidenta**y pre%%ed the

("b*i%h b"tton : appreciate yo"r .eedback

Rep*y!ink

(eter Mo*narNovember 2B, 2011, 6B3 am

: %ee, it ha% become D2BE in%tead o. D20E that +a% in my R$$ tit*e 4

Rep*y!ink

S+ebNovember 23, 2011, 1031 am

-+e%ome, : too ca"'ht a bit o. the po%t be.ore it +a% .ini%hed b"t thi% i% a very "%e."* po%tT po%ted

ri'ht +hi*%t : +a% in the midd*e o. deve*opin' an app*ication too, %o do"b*y "%e."*

&hank%

Rep*y!ink

&ryMe November 23, 2011, 10BB am

-** php backdoor %he** are *ar'e in %iFe 7%e the .o**o+in' to .ind it

i&' , -&+# QU.phpQ -typ# -*i7# S10000> -#/#c l* -lh KL AE +?> TK pri&t $Q: Q $5 LTi&' ,v+r,??? -&+# QU.phpQ -typ# -*i7# S10000> -#/#c l* -lh KL AE +?>TK pri&t $ Q: Q $5 LT

Rep*y!ink

o ="n"%November 26, 2011, 62A am

: "%e http//+++r.#ncom/pro?ect%/*in"#)ma*+are)detect/+hich i% very "%e."* .or detectin'

(H( backdoor%

Rep*y!ink

ma"ri November 23, 2011, 1200 pm

hat abo"t the "%e o. %"(H(

Rep*y!ink

o Gopihere November 23, 2011, 222 pm
http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=175927#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-175927http://www.cyberciti.biz/tips/about-ushttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=175931#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-175931http://petermolnar.eu/http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=176057#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-176057http://www.kjbweb.net/http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=175933#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-175933http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=175934#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-175934http://www.bridgeinfomatics.com/http://www.rfxn.com/projects/linux-malware-detect/http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=176077#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-176077http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=175937#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-175937http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=175927#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-175927http://www.cyberciti.biz/tips/about-ushttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=175931#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-175931http://petermolnar.eu/http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=176057#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-176057http://www.kjbweb.net/http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=175933#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-175933http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=175934#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-175934http://www.bridgeinfomatics.com/http://www.rfxn.com/projects/linux-malware-detect/http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=176077#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-176077http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=175937#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-175937


16/28

=a %"(H( i% a*%o very "%e."* and he*p."* .or %ec"rin' (H( +eb%ite%

Rep*y!ink

deady November 23, 2011, 23A pm

apache)itk II

Rep*y!ink

red November 23, 2011, 236 pm

&hi% i% an o"t%tandin' po%t ne o. the be%t re%o"rce : have ever %een re'ardin' (H( %ec"rity

eep "p the 'ood +ork

Rep*y!ink

ha"dhary November 23, 2011, 3A1 pm

a+e%ome, thank yo" .or %harin'

Rep*y!ink

redrik November 23, 2011, AB8 pm

: a'ree, 'ood po%t, keep em comin'

Rep*y!ink

ira% November 23, 2011, 10AJ pm

Vivek, +hat the 'reat V($% contro* pane* $ec"re4 +ork% "nder ree$ yo" pre.er

&hank% .or yo"r po%t, 'reat ?ob

U

Rep*y!ink

o ni#ra.tNovember 2A, 2011, K02 am

: do not "%e any contro* pane* "nder ree$ or ent$/RH5! ba%ed %y%tem% -ppreciate

yo"r po%t

Rep*y!ink

7mid November 2A, 2011, B11 am

: *ike po%t very m"ch &hank yo"

Rep*y!ink

%*apper November 2A, 2011, 830 am
http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=175942#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-175942http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=175944#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-175944http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=175945#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-175945http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=175950#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-175950http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=175955#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-175955http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=175972#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-175972http://www.cyberciti.biz/tips/about-ushttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=175988#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-175988http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=175986#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-175986http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=175942#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-175942http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=175944#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-175944http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=175945#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-175945http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=175950#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-175950http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=175955#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-175955http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=175972#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-175972http://www.cyberciti.biz/tips/about-ushttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=175988#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-175988http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=175986#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-175986


17/28

-% "%"a* e#ce**ent ?ob

Rep*y!ink

Robert Gi*aard November 2A, 2011, 113K am

Very +e** +ritten and in.ormative po%t

o yo" kno+ +hat the e..ect +i** be on (o%t're$>! i. yo" enab*e $>! %a.e mode in (H( +ith the

directive

%@*%a.eCmoden

Rep*y!ink

o &r" November 2A, 2011, 11A6 am

&hi% on*y a..ect% my%@*Cconnect4 +hich i% My$>! %peci.ic ."nction

Rep*y!ink

&r" November 2A, 2011, 11A6 am

Ho+ do yo" %et and "%e %@*%a.eCmode =o" need to %et my%@* db %ettin' in httpdcon.

php! %a.e mode in (H( via the %@*%a.eCmode directive

(H( then re?ect% any databa%e connection attempt% that "%e anythin' other than ini va*"e% .or

%peci.yin' a"thentication data

$o"rce

Rep*y!ink

-ndre% M"?icaNovember 2A, 2011, KA3 pm

5#ce**ent po%t, rea**y rea**y 'ood

thank% .or %harin'

Rep*y!ink

$teve - November 2B, 2011, 2BA pm

7%e (
http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=175996#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-175996http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=176003#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-176003http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=176005#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-176005http://dev.mysql.com/tech-resources/articles/guide-to-php-security-ch3.pdfhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=176006#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-176006http://www.seaq.com.co/http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=176024#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-176024http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=175996#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-175996http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=176003#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-176003http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=176005#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-176005http://dev.mysql.com/tech-resources/articles/guide-to-php-security-ch3.pdfhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=176006#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-176006http://www.seaq.com.co/http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=176024#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-176024


18/28

ith proper bind variab*e%, $>! in?ection become% .ar *e%% o. a prob*em

Rep*y!ink

mario November 26, 2011, 20K pm

o+, thi% *i%t ha% %ome e#ceptiona**y c*"e*e%% point% &here are %ome 'ood recommendation% at the

end, b"t : +a% e#pectin' ma'icC@"ote% ha*.+ay in bet+een

or e#amp*e eva*4 i% not a %ec"rity i%%"e per %e :t;% ?"%t another name .or inc*"de4 Random*y

di%ab*in' mod"*e% i% a% "nprod"ctive a% di%ab*in' .i*e "p*oad% My%@*Crea*Ce%capeC%trin' i% no

*on'er %tate o. the artT +hich make% it a bad advi%e m"ch *e%% the my%@*Ce%capeC%trin' a% mentioned

*ater4

&he *i%t in di%ab*in' Ddan'ero"% ."nction%E i% a*%o @"ite retarded Not everythin' +ith an De#ecE in

the name doe% act"a**y ca** %y%tem command% i%ab*in' Dc"r*Ce#ecE .or e#amp*e +i** be a pain in

the b"tt i. yo" a*%o di%ab*ed Da**o+C"r*C.openE &he a"thor kne+ abo"t Da**o+C"r*Cinc*"deE b"t

bem"%in'*y 'ot the p"rpo%e con."%ed here -ny+ay, that;% e#act*y the kind o. c"r%ori*y %ec"rity

recommendation% that make% "nac@"ainted %hared ho%ter% 'o overbroad +ith *imited rea%onin'

Rep*y!ink

o Sonathan reminNovember 2K, 2011, B0A pm

eva*4 i% not another name .or inc*"de4 eva*4 i% o.ten "%ed by tro?an %he**%, and rare*y "%ed

+i%e*y or *e'itimate*y

Rep*y!ink

bi%h November 26, 2011, K08 pm

n RH5!/ent$/edora, WneverW reb"i*d an app by hand *ike php &he ver%ion yo" +i** end "p

+i** be "n)t"ned, "n%"pported and very di..erent in .eat"re% .rom +hat the di%tro o..er% :t +i** a*%o

+ithin a +eek need to be b"i*t a'ain, te%ted a'ain%t the $ and "pdated =o" don;t have the time

Havin' %aid that, don;t de*ete ini .i*e% +ithin the phpd ini poo* on;t rename them pen them "p

and comment o"t the part% yo" *ike ye%, even i. it;% everythin'4 and %ave them back &he rea%on +hy

ha% to do +ith R(M "pdate behavio"r +hen .i*e% are mi%%in' v% +hen con.i' .i*e% are chan'ed b"t

e#i%t on the %y%tem

:n X23, be care."* that yo" don;t take thi% trick too .ar :t +ork% beca"%e it tar'et% +hat the apache

"%er can;t do 7%er% +ho;ve 'ained root o. co"r%e don;t have any prob*em openin' their o+n .ire+a**

ho*e%, b"t yo" may not have tho"'ht a% m"ch in the a.ter'*o+ o. readin' %"ch a 'reat %"''e%tion

:t;% a nice po%t : can %ee a .e+ thin'% : can de.inite*y "%e, my%e*., at home and at +ork

Rep*y!ink

o Sonathan reminNovember 2K, 2011, BB6 pm

- year and a ha*. o. %ec"rity .i#e% %ince B33, and yo" think b"i*din' it by hand i% %omethin'yo" %ho"*d never do &he W.ir%tW thin' a re%pon%ib*e %y%admin %ho"*d do i% r"n a c"rrent

ver%ion o. (H(

Rep*y!ink
http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=176066#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-176066http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=176094#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-176094http://crem.in/http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=176125#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-176125http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=176102#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-176102http://crem.in/http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=176128#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-176128http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=176066#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-176066http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=176094#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-176094http://crem.in/http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=176125#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-176125http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=176102#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-176102http://crem.in/http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=176128#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-176128


19/28

bi%h March 2B, 2012, 20B am

: ran into thi% e#act prob*em not %o *on' a'o -pparent*y, %ome peop*e be*ieve that

RH and other% ?"%t compi*e a B33 and ?"%t *eave it Ho+ naive

&he c"%tomer in @"e%tion had to H- & have a Yne+; (H( B311, a% it +a%

the mo%t %ec"re and "p)to)date one aro"nd, '"aranteed - @"ick per"%a* o. mitre

%ho+ed the ver%ion in @"e%tion < not %"re no+ i. it +a% B311 < had abo"t a ha*.)

doFen e#p*oit% &he "%er +a% comp*ete*y ob*ivio"% to thi%

=o" kno+ +ho +a%n;t &he team paid ."**)time to patch and te%t aro"nd the e#p*oit%

on the packa'e% they %"pport &he (H( ver%ion avai*ab*e .rom the di%tro +a% ."**y)

patched .or a** app*icab*e e#p*oit% a..ectin' that ver%ion :t even covered the ha*.)

doFen one% that +o"*d have *aid the Yne+, th"% more %ec"re; ver%ion +ide open

: think the .ir%t thin' a re%pon%ib*e %y%admin %ho"*d do i% to not random*y compi*e in

thi% +eek;% code, breakin' nat"ra* "p'rade potentia* .rom pro.e%%iona*% and

compatibi*ity +ith the $, and maybe tr"%t that a team o. peop*e +ho%e ?ob it i% to

keep their %t".. %ec"re may be more pro.icient at it "t, =MMV i. yo" happen tohave a *ar'e team dedicated to %ec"rity a*ert% and code reb"i*d% in re%pon%e

*d ba%e)re*ea%e% o. %o.t+are aren;t ?"%t .or %adi%tic %portT they;re .or compatibi*ity

and certi.ication .or :$V%, or at *ea%t tho%e +ho can code to+ard a .irm tar'et Did

the broch"re mention it +a% certi.ied on that $E i% a @"e%tion +e need to a%k more

o.ten

Rep*y!ink

5*ton !ockhart -"'"%t 21, 2012, 1002 am

&hi% i% a 'reat comment ther reader% %ho"*d take heed o. +hat i% %aid here

(acka'e% in a di%tro are patched .or e#p*oit% and admini%tration o. yo"r o+n

compi*ed (H( ver%ion take% a *ot o. time

Rep*y!ink

ody ctober 31, 2012, 232 am

5#act*y bi%h i% %pot on &hat 'oe% even .or removin' .i*e% in%tead o.

commentin' o"t the re*ated part% :. yo" remove the .i*e or rename it +itho"t

havin' a .i*e +ith the ori'ina* name, there;% potentia* .or a comp*ete*y ne+

con.i'"ration .i*e on an "pdate !ook "p rpmne+ .i*e% 'oo'*e or +hatever4

&hat ne+ .i*e% co"*d be in%ta**ed +o"*d be bad in many +ay% inc*"din'

%ervice% bein' broken and a*%o %ec"rity i%%"e% -nd i. yo" +ant to comment

o"t every *ine entire*y, yo" co"*d %imp*y do %omethin' *ike thi% a%%"me

comment char i% X +hich mo%t o.ten i%4

%ed )i Y%/U/X/'; .i*ename

Sonathan it;% ca**ed a backport Note ho+ ent$ 63 ha% php B33 "t doyo" act"a**y think that mean% the %o"rce i% on*y o. php B33 Not at a** $ince

yo" po%ted that there;% been more than J "pdate% and J o. tho%e inc*"de one

o.ten more than one4 .i#e%4 to %ec"rity .*a+% ye%, : am re.errin' to php in
http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=179597#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-179597http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=181342#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-181342http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=179597#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-179597http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=181342#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-181342


20/28

ent$4 =o"r %"''e%tion i% there.ore @"ite inva*id heck thi%

http%//acce%%redhatcom/%ec"rity/"pdate%/backportin'/%cCcid30J3

Note a*%o that yo"r thinkin' +o"*d a*%o mean that i. %omeone chan'e% a

banner to %ho+ %omethin' di..erent than +hat the pro'ram i%, then it m"%t be

%o -nd even di%ab*in' %o.t+are ver%ion di%p*ay doe%n;t nece%%ari*y mean the

ver%ion i% comp*ete*y hidden

e%ide% takin' more time "pdatin' thin'%, there;% other rea%on% compi*in' i%

not at a** appea*in' .or prod"ction %erver%

-% : %aid ear*ier, packa'e ba%ed di%tro% +i** typica**y backport the .i#e%,

any+ay - per.ect e#amp*e i% one that i% mentioned in thi% artic*e ent$

b%erve ho+ ent$ 6# i% %ti** in the 26# kerne* tree and the c"rrent kerne*

tree i% 36 and c"rrent %tab*e i% 36A G"e%% +hat tho"'h ent$ %ti** "pdate

the packa'e% +hen there i% a need and there;% o.ten eno"'h %ec"rity .i#e%

inc*"ded4 :. yo" +ant the ab%o*"te *ate%t then 'o .or a di%tro that ha% ne+er

ver%ion% b"t ob%erve that ne+er ver%ion% can e@"ate to ne+ b"'%, ne+

compatibi*ity i%%"e%, ne+ prob*em% in 'enera* -*%o, a% .or, %ay edora ver%"%ent$, ent$ end o. *i.e time 10 year%4 i% m"ch *on'er than edora 2

year% i. : reca**4 and that mean% "pdate% are app*ied *on'er, too

&he .act there;% packa'e ba%ed di%tro% i% a b*e%%in' and : not on*y *ove

pro'rammin', : have "%ed the di%tro% that +ere b"i*t entire*y .rom %o"rce and

%imi*ar a% in !in"# .rom %cratch and Gentoo4 : even had at one point +orked

on my o+n di%tro and : don;t mean rebrandin'4 and +hi*e ."n it +o"*d be

in%ane to take on my o+n i. : +ere to keep it "pdated and %tab*e -nd that *a%t

point i% +hy binary di%tro% are bene.icia* ompatibi*ity, pro'ram% b"i*t .or

one ver%ion o. a *ibrary may very +e** be "%e*e%% i. the *ibrary i% not that

ver%ion4, %tabi*ity and +hat i% the point o. a %erver i. it i% "n%tab*e4 and m"chmore

-nd another thin' that : don;t think +a% %aid i. %o : didn;t read it a% %"ch4

hy +o"*d anyone con%ider "npacka'ed pro'ram% a*on' +ith packa'ed

pro'ram% $"re, there i%


21/28

-% a**+ay%, : %"re*y +o"*d tr"%t o"tbo"nd/indbo"nd monotor or intr"%tion %y%tem o. any kind no

matter +hat

Rep*y!ink

*a'omir :vanovNovember 30, 2011, 218 pm

&hi% i% very "%e."* po%t "t +hat abo"t %ec"rin' the "%er% in chroot environment, not V($ a%penVL oe% thi% mean that : m"%t have %eparate php proce%% r"nnin' .or every one o. the

+eb%ite% ho%ted on the %ame %erver

: mean, i. : %tart php)c'i proce%% +ith %pa+n).c'i, it +i** be %tarted +ith "%er D+eb%ite1E "t thi%

"%er doe% not have acce%% to .i*e% in +eb%ite2, %o it can not read/+rite/e#ec"te php .i*e% .rom

+eb%ite2 -m : ri'ht

Rep*y!ink

&homa% ecember 6, 2011, 81B pm

:;m a*%o *ookin' .or+ard .or a 'ood %endmai* +rapper +ith *o''in' capabi*ite%4

-** i tryed %kip the attachment .i*e% +hen "%in' (H( mai* ."nction and a +rapper php or %h4 -ny

idea p*ea%e

Rep*y!ink

Sack ade ecember K, 2011, 610 pm

&he be%t +ay o. %ec"rin' (H( i% to "%e %"(H( or -pache)mod)itk re@"ire% apache to r"n a% root, %o

it can .ork/%et"id to the +eb%ite "%er to r"n the %cript%4 to r"n the %cript% a% the "%er +ho o+n% the

%peci.ic +eb%ite, rather than the +eb %erver "%er and a*%o to di%ab*e a**o+C"r*Cinc*"de thi% make% it

impo%%ib*e to "%e inc*"de4 or re@"ire4 to e#ec"te e#terna* %o"rce% yet %ti** a**o+%

.i*eC'etCcontent%4/read.i*e4 and other% to 'rab e#terna* *e'itimate .i*e%, *ike R$$ .eed% and %o on4

-dditiona**y, JJZ o. (H( v"*nerabi*itie% are the re%"*t o. bad Dpro'rammer%E, not %erver %ec"rity

i%%"e%

Rep*y!ink

-FiF ecember 11, 2011, 201 am

Nice +rite"p Vivek hat% yo"r opinion on r"nnin' an apache %erver on .a%tc'i/.pm/%"ho%in rom a

%ec"rity %tandpoint, i% %"e#ec nece%%ary, or app*icab*e, in thi% kind o. %et"p r i% it %"..icient to

create a %eparate .pm poo* +ith a non)prive*e'ed "%er .or each vho%t

Rep*y!ink

G"ido :a@"inti ecember 21, 2011, 822 pm

Very 'ood ?ob, thank% .or %harin'

Rep*y!ink

a*a?i ecember 22, 2011, 11BB am
http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=176173#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-176173http://bgtechblog.com/http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=176220#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-176220http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=176583#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-176583http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=176636#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-176636http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=176794#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-176794http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=177308#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-177308http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=176173#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-176173http://bgtechblog.com/http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=176220#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-176220http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=176583#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-176583http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=176636#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-176636http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=176794#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-176794http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=177308#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-177308


22/28

5#ce**ent %harin' &hank% 5#pectin' more 4

Rep*y!ink

S:5Mebr"ary 23, 2012, B3A am

He**o,

$omebody, can te** me ho+ to di%ab*e eva*4 on php

: have add thi% ."nction%on di%ab*eC."nction% b"t not +orkin'P

Rep*y!ink

o ="n"%ebr"ary 23, 2012, BAB am

Make %"re yo" have di%ab*ed it in proper phpini .i*e .or in%tance ebian/7b"nt" have

di..erent ini .i*e% .or c*i, c'i and apache

Rep*y!ink

S:5Mebr"ary 23, 2012, J08 am

ear ="n"%,

: have add on di%ab*eC."nction% in phpini b"t not +orkin'

i;m "%in' cento% I cpane* can yo" he*p me

Rep*y!ink

="n"%ebr"ary 23, 2012, J21 am

%"re : +i** try to he*p, p*% contact me at y"n"%[at\ brid'ein.omatic%com

Rep*y!ink

han"March 2A, 2012, 10K pm

XB !o' -** (H( 5rror%

&hank% .or the %o"rce code

Rep*y!ink

iyra'May 21, 2012, B02 pm

my%@*Ce%capeC%trin'4 +i** be deprecatedT ( i% %"''e%ted in%tead 4

Rep*y!ink

!"ka%FS"ne 13, 2012, 12B8 pm

th# man

Rep*y!ink
http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=177354#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-177354http://www.idlyrics.ocm/http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=179206#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-179206http://www.bridgeinfomatics.com/http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=179208#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-179208http://www.idlyrics.ocm/http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=179210#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-179210http://www.bridgeinfomatics.com/http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=179211#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-179211http://dhanusoftware.blogspot.com/http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=179595#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-179595http://myzptixsz.wordpress.com/http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=180378#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-180378http://www.online.atm.pl/http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=180663#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-180663http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=177354#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-177354http://www.idlyrics.ocm/http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=179206#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-179206http://www.bridgeinfomatics.com/http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=179208#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-179208http://www.idlyrics.ocm/http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=179210#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-179210http://www.bridgeinfomatics.com/http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=179211#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-179211http://dhanusoftware.blogspot.com/http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=179595#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-179595http://myzptixsz.wordpress.com/http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=180378#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-180378http://www.online.atm.pl/http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=180663#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-180663


23/28

$athee%h S"*y 1K, 2012, K11 am

it i% very "%e."* in.ormation thank% .or cybercitibiF

Rep*y!ink

S"%t a "%er S"*y 2B, 2012, K33 pm

&hank yo"

yo" have no idea ho+ m"ch yo" he*ped me

cybercitibiF i% no+ in my top bookmark%

bt+ .or $>! my%@*Ce%capeC%trin'4 i% not %o 'ood

+e %ho"*d a** "%e parameter bindin'.or %@*4 and htm*p"ri.ier .or .i*terin' "%er inp"t

Rep*y!ink

Fin'er# -"'"%t 26, 2012, 1200 pm

&hank yo"P

Rep*y!ink

!eonardo 5mbon -"'"%t 31, 2012, 13B pm

:;ve .o"nd the artic*e GR5-& : have ?"%t a @"e%tion hich "%er %ho"*d be "%ed to dep*oy .i*e% to the

%ite, +here the dep*oyer doe%n;t have root acce%% $ho"*d : D%" apacheE or i% it better to add my "%er

to apache 'ro"p and have KKB in the +ho*e tree

Rep*y!ink

o Same% Rhy%November 30, 2012, B33 pm

:dea**y yo";** have a Ydep*oyer; "%er :;ve %een in%ta**ation% that "%e Senkin% or p*ain ba%h "%e

other "%ername% to ob."%cate the dep*oyment "%er4 that ha% +rite acce%% on the directorie%

yo" +i%h to "pdate /var/+++/W4 b"t on*y ha% .ire+a** acce%% .rom +ithin yo"r V(N/!an e'

< 1010101014 &hey;** need read and +rite b"t not e#ec"te4 permi%%ion% on the directorie%

they dep*oy to

Rep*y!ink

o*a%hi*ectober 1J, 2012, 1136 pm

do yo" %e** %he** php "p*oaded/ho%ted to "p*oad bank %criptO pa'e

Rep*y!ink

FLF ecember K, 2012, 838 pm

Weva*4 < 5va*"ate a %trin' a% (H( code &hi% i% o.ten "%ed by an attacker to hide their code and too*%

on the %erver it%e*. =o" can con.i'"re php to di%ab*e eva*4W

eva*4 i% (H( *an'"a'e con%tr"ctionNot a (H( ."nction

=o" can;t di%ab*e it "%in' %tandart di%ab*eC."nction% directive in yo"r phpini
http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=181006#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-181006http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=181100#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-181100http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=181361#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-181361http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=181415#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-181415http://www.jamesrhys.net/http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=182686#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-182686http://none/http://none/http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=181848#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-181848http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=181006#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-181006http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=181100#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-181100http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=181361#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-181361http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=181415#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-181415http://www.jamesrhys.net/http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=182686#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-182686http://none/http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=181848#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-181848


24/28

7%e %"ho%in it ha%

%"ho%ine#ec"tordi%ab*eCeva* n

directive

&hank% very nice materia*eep "p

Rep*y!ink

G"%tavoecember 1A, 2012, K21 pm

i%ab*e htacce%% %"pport and "%e apache r"*e% direct*y in virt"a* ho%t, yo" obtain better per.ormance

$et error pa'e%

i%ab*e irectory !i%tin'

ption% ):nde#e%

5rror (a'e%http//httpdapacheor'/doc%/22/c"%tom)errorhtm*

Rep*y!ink

ramiro -pri* 3, 2013, 80K pm

onder."* in.ormation yo" %hare &hank%, thi% ha% been very "%e."* to me

Rep*y!ink

hri% ecember 13, 2013, 230 pm

:;ve a*%o come "p +ith a too* that check% the phpini con.i'"ration c"rrent*y in "%e and ret"rn%

+arnin'%/error% it .ind%

:ni%can < http%//'ith"bcom/p%ecio/ini%can

o"*d be he*p."* to %ome o"t there

Rep*y!ink

a%pe* ecember 1J, 2013, 813 am

hy par%eCiniC.i*e4 %ho"*d be di%ab*ed

: can;t .ind any %ec"rity i%%"e "%ind thi% ."nction

an yo" e#p*ain me +hy

Rep*y!ink

Mark inFe* ebr"ary 16, 201A, B32 am

hat +o"*d yo"r recommendation be .or the openCba%edir %ettin' : have %een con.*ictin' report%o yo" +ant to do /home/"%er/p"b*icChtm*

or ?"%t /home/"%er

: have a*%o %een mention o. /home/tmp
http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=183143#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-183143http://www.gustavonovaro.com.ar/http://httpd.apache.org/docs/2.2/custom-error.htmlhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=183665#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-183665http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=187913#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-187913https://github.com/psecio/iniscanhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=197397#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-197397http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=197749#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-197749http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=183143#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-183143http://www.gustavonovaro.com.ar/http://httpd.apache.org/docs/2.2/custom-error.htmlhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=183665#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-183665http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=187913#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-187913https://github.com/psecio/iniscanhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=197397#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-197397http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=197749#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-197749


25/28

: have not %een a c*ear e#p*anation o. ho+ to %et it to avoid i%%"e% do+n the road

: am "%in' a%tG: %o have to %et in each "%er;% phpini .i*e4

Rep*y!ink

o hri% orn"tt ebr"ary 1K, 201A, 1233 am

(er%ona**y, :;d %"''e%t t+o thin'% +hen it come% to openCba%edir

1 eep it in%ide the ba%e o. the app*ication &hi% i%n;t the %ame thin' a% the doc"ment root a%

yo" co"*d have .i*e% o"t%ide o. that that re*ate to the app*ication :;d WneverW a**o+ acce%% to a

"%er;% home directory tho"'h

2 eep it a% *imited a% po%%ib*e on;t %peci.y %omethin' *ike D/var/+++E +hen

D/var/+++/%ite)name/p"b*icE +i** +ork

Rep*y!ink

Mk ebr"ary 22, 201A, 10J pm

14:;m con."%ed +ith openCba%eCdir and "p*oadCtmpCdir : think that "p*oadCtmpCdir %ho"*d not be

in%ide openCba%edir hy code e#ec"tion %ho"*d happen in the "p*oad directory "rrent*y : have %et

it o"t%ide openCba%edir and : have on*y a +arnin' +hen "p*oadin' ima'e% in an in%ta**ation o.

+ordpre%% beca"%e it trie% to determine the type o. .i*e in%ide the "p*oad directory +hich : think it

%ho"*dn;t try to do thi% in the .ir%t p*ace :;m %ti** %t"dyin' that tho"'h 5verythin' e*%e +ork%

correct*y inc*"din' .i*e "p*oad p*"'in% etcP

24: have the %ame @"e%tion abo"t %e%%ion%aveCpath $ho"*d code e#ec"tion in %e%%ion%aveCpath be

a**o+ed

34-*%o :% it correct .or %e%%ion%aveCpath and "p*oadCtmpCdir to %hare the %ame directory

A4 -nd .ina**y doe% anybody kno+ +hat .o*der permmi%ion% %ho"*d the %e%%ion%aveCpath and

"p*oadCtmpCdir directorie% have : think that the an%+er on thi% i% 600 b"t : +o"*d *ike to kno+ +hat

other% think

Rep*y!ink

o hri% orn"tt ebr"ary 23, 201A, KAK pm

$ome an%+er%P

14 &he +ay that (H( operate%, "p*oadCtmpCdir Wha%W to be in%ide the openCba%dedir i. it;%

%et ther+i%e it cannot +rite to the directory +hen a "%er "p*oad% the .i*e eep in mind,

tho"'h, that yo" %ho"*d be immediate*y movin' the temporary .i*e once the "%er "p*oad% it

-*%o remember, yo" can have m"*tip*e directorie% .or openCba%edir %eperated +ith a co*on

4

24 Not %"re +hat yo" mean by Dcode e#ec"tionE b"t : a%%"me by yo"r .ir%t @"e%tion, yo"

mean the openCba%edir %ettin' -% .ar a% : kno+, %e%%ion %ave path i% in.*"enced by

openCba%edir %o it;d need to be inc*"ded in the openCba%edir *i%t a% +e**

34 (er%ona**y, :;d recommend a'ain%t the %aveCpath and "p*oadCtmpCdir %harin' the %ame

path :t;d be better .or a %eparation o. concern% to have them in di..erent p*ace%
http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=202572#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-202572http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=202674#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-202674http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=203771#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-203771http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=202572#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-202572http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=202674#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-202674http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=203771#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-203771


26/28

A4 &he permi%%ion% depend on +ho o+n% the directory, rea**y :. yo" %et the o+ner to the +eb

%erver "%er, then 600 %ho"*d be .ine yo" mi'ht need K00, not %"re4

Rep*y!ink

o ody March 13, 201A, BBK pm

-nd to e*aborate on point A not that : think hri% did any thin' incorrect or +ron' here < :

?"%t .ee* there;% no %"ch thin' a% too m"ch in.ormation on the %"b?ect o. permi%%ion%4 -*%o,

apo*o'ie% i. : +ent overboard +ith %ome o. thi% b"t : 'ot carried a+ay +ith e#p*ainin' mode%

and didn;t rea*i%e ho+ .ar : +ent "nti* a.ter the .act -ny+ay

-% hri% +rote it depend% on +ho o+n% the directory and more %o +hat permi%%ion i% needed

"t < and here;% the important bit pardon the p"nP permi%%ion bit% and a**4 < "%e the mo%t

re%trictive permi%%ion a% po%%ib*e, a*+ay% okay, obvio"%*y yo" %ho"*dn;t me%% aro"nd +ith

mo%t o. yo"r directorie%, binarie%, *ibrarie%, etc, and yo" %ho"*d never b*ind*y chan'e

o+ner%hip o. the%e +itho"t kno+in' +hat yo";re doin' < chmod and cho+n can be very

dan'ero"% e%pecia**y +hen rec"r%ive*y operatin' b"t .or /var/+++ or +herever yo" have

yo"r +eb directory yo" %ho"*d be .ine, e%pecia**y i. yo" don;t rec"r%ive*y chmod [in 'enera*the )R option i% %omethin' yo" need to be care."* o., .or chmod and cho+n\4 $o i. yo" can

'et a+ay +ith A00 then by a** mean% do %o : do"bt yo";d be +ith that %ince then yo";d

have to be root to +rite to the .i*e%, b"t P the point remain% the %ame re%trict +here yo" can

a% m"ch a% yo" can, a% *on' a% it i% %a.e4 n the %"b?ect o. +hether read i% %"..icient, there;%

a*%o the po%%ibi*ity that < .or e#amp*e < yo" have a "%er re'"*ar4 .or editin' .i*e% in the +eb

directory a% a virt"a* ho%t, %ay4 and the apache "%er i% the 'ro"p o. the directory .or e#amp*e

it ha% a M$ that mi'ht "pdate a .i*e4 or a*ternative*y, i. yo" don;t have a M$, yo" have the

'ro"p a*%o be the %ame a% the o+ner and on*y a**o+ read/e#ec"te .or the re%t o. the +or*d %o

that apache can open and %erve .i*e% to vie+er% o. the +eb%ite%44 &hen, yo" can ?"%t 'rant

r+# to the "%er and apache or ?"%t other%4 can 'et a+ay +ith r# %o can read .i*e% and can

open directory4 ther% +or*d4 %ho"*d never inc*"de +rite on a +eb%ite :. there +ere any.i*e% that the %ite it%e*. *et;% %ay a M$4 need% to edit %ay on "pdate o. the M$4 then yo"

can 'rant tho%e .i*e% +rite acce%% to the apache "%er or ho+ever yo" have apache %et "p4 :n

%hort yo";re re%trictin' it a% m"ch a% po%%ib*e b"t not breakin' anythin' either

-n important e*aboration on permi%%ion% i% it a*%o 'oe% .or databa%e permi%%ion% 5#amp*e

+ordpre%% doc"mentation in%i%t% yo" need to GR-N& -!! to the "%er on the databa%e that

+ordpre%% "%e% Ho+ever, that i% comp*ete and "tter non%en%e : kno+ beca"%e : "%e m"ch

more re%tricted on my +ordpre%% in%ta**% and there ha% never been a prob*em re*ated to thi%

modC%ec"rity2 and other thin'% can ca"%e i%%"e% b"t that;% nothin' to do +ith the databa%e

it%e*. and modC%ec"rity2 i% act"a**y +e** +orth any ha%%*e 'ettin' it to ."nction correct*y

[.a*%e po%itive%, certain r"*e% needin' modi.ication% .or yo"r %ite, +hatever it i%\4"rthermore, and : %eem to remember +ordpre%% doc"mentation i% '"i*ty here too, +hen

peop*e %"''e%t that to .i# or make %"re it i%n;t a permi%%ion% i%%"e4 read/+rite permi%%ion%

yo" %ho"*d even i. temporari*y4 %et KKK, don;t do it or yo"r o+n %ake and .or yo"r

%y%tem;% %ake +hy on earth +o"*d anyone think a directory %ho"*d be +or*d

read/+rite/e#ec"te to make %"re there i% no permi%%ion i%%"e%, i% to thi% day %omethin' that

be+i*der% and bem"%e% me4 &he on*y directorie% that %ho"*d be KKK +hich are act"a**y 1KKK

< re%tricted de*eteT 1KKK on a .i*e +o"*d be %ticky bit +ith read/+rite/e#ec"te4 are directorie%

*ike /var/tmp and /tmp

:. yo" ever do need +rite and read permi%%ion, then 6 or r+4 %ho"*d %"..ice :. yo" on*y need

read then A %"..ice% !ike+i%e, i. yo" on*y need read and e#ec"te, then B %"..ice% -*%o, a% .or

e#ec"te bit 1#, 2+, Ar, and it% bit% %o binary +hich i% +hy K r+#, 6 r+, B r#, etc

Note the mode% it%e*., that i% 0)K, i% in .act not binary b"t octa* [hence 0)K\ b"t they add "p

*ike binary [ob%erve that 8 i% divi%ib*e by 2 ?"%t *ike 16 i%, +hich i% +hy octa* and
http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=204157#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-204157http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=204157#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-204157


27/28

he#adecima* are o.ten "%ed in pro'rammin' < m"ch more convenient than binary4, it depend%

on i. the .i*e i% a directory or a re'"*ar .i*e a% to +hat it i% "%ed .or or re'"*ar .i*e% it a**o+%

e#ec"tion or directorie% it a**o+% chan'in' to the directory yo";** need Ir .or vie+in' .i*e%

in it and I+ .or +ritin' to the directory4

-ny +ay, hope."**y that i% o. va*"e to C%omeoneC and hope."**y the .act : am %ti** tryin' to

+ake "p did not a**o+ me to make any %t"pid mi%take%/error% b"t i. : did : am %"re %omeone

+i** correct me < : hope %o any+ay4

Rep*y!ink

ona*december 31, 201A, 316 am

+hy no mention o. %"php

Rep*y!ink

h"miMarch B, 201B, 1218 pm

7%e."* &hank%

Rep*y!ink

nathan ctober 1B, 201B, KAK pm

'reat artic*e i have a @"ick @"e%tion

in %ection 18 yo" recommend %ettin' directory permi%%ion% to 0AAB

+hy 'ive +or*d read and e#ec"te, 'iven o+ner and 'ro"p on*y have read, am : mi%%in' %omethin'

thank%

Rep*y!ink

-bhay ebr"ary K, 2016, K33 am

'reat artic*eP

Rep*y!ink

5ric March 3, 2016, 1112 pm

h my &"#

Ho+ co"*d yo" .or'et to mention -$(

(*ea%e, .or'et any other databa%e connection di..erent .rom (

http%//+++o+a%por'/inde#php/(H(C$ec"rityCheatC$heet

Rep*y!ink

Mark"% May 11, 2016, 12BA pm
http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=208227#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-208227http://blog.donaldorgan.com/http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=477567#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-477567http://www.creativedev.in/http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=548756#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-548756http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=612497#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-612497http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=635304#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-635304https://www.owasp.org/index.php/PHP_Security_Cheat_Sheethttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=639142#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-639142http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=208227#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-208227http://blog.donaldorgan.com/http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=477567#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-477567http://www.creativedev.in/http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=548756#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-548756http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=612497#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-612497http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=635304#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-635304https://www.owasp.org/index.php/PHP_Security_Cheat_Sheethttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=639142#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-639142


28/28

&hank% .or the 'reat artic*e

: a*%o add the pcnt*CW %t".. to di%ab*edC."nction%, to avoid thin'% *ike do"b*e .orkin'

Rep*y!ink
http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=647999#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-647999http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html?replytocom=647999#commentformhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html#comment-647999

25 php security best practices for sysadmins

Documents