Author: san < A more detailed introduction to the problems encountered in the programming process of PHP and CGI programs, and how to break through the system through application vulnerabilities. In this article, we will strengthen the security of PHP by configuring some server-side features of PHP. When writing cgi scripts, we must pay attention to various security issues and strictly filter user input. However, there is no way you can walk on the shore without getting your shoes wet, or eat sesame seeds without losing sesame seeds. People may stumble, and horses may miss. Even the famous phpnuke, phpMyAdmin and other programs have had serious problems, let alone scripts written by gangsters like me. So now we assume that serious problems have occurred in php scripts. For example, a while ago, phpnuke had a big problem with uploading php scripts. How can we configure the server to prevent the script from breaking through the system if such problems occur?
1. Pay attention to patching known vulnerabilities when compiling
Starting from 4.0.5, PHP’s mail function has added a fifth parameter, but it is not filtered properly, making PHP applications The program can break through the restrictions of safe_mode and execute commands. Therefore, when using 4.0.5 and 4.0.6, we need to modify the
ext/standard/mail.c file in the php source code package before compilation to disable the fifth parameter of the mail function or filter shell characters. In line 152 of the mail.c
file, which is the following line:
if (extra_cmd != NULL) {
followed by extra_cmd=NULL; or extra_cmd = php_escape_shell_cmd(extra_cmd);
Then compile php, then we will fix this vulnerability.
2. Modify the php.ini configuration file
Modify it based on the php.ini-dist of the php distribution version.
1)Error handling and logging
You can make some settings in the Error handling and logging section. First find:
display_errors = On
By default, php turns on the error message display. We changed it to:
display_errors = Off
After turning off the error display, the php function executes the error The information will no longer be displayed to the user. This can
prevent the attacker from knowing the physical location of the script and some other useful information from the error message to a certain extent. This will at least cause certain obstacles to the attacker's black box detection. . These error messages may be useful to ourselves. We can write it to the specified file, then modify the following:
log_errors = Off
to:
log_errors = On
and the specified file , find the following line:
;error_log = filename
Remove the previous; comment and change filename to the specified file, such as
/usr/local/apache/logs/php_error.log
Error_log = /usr/local/apache/logs/php_error.log
In this way, all errors will be written to the php_error.log file.
2)Safe Mode
PHP’s safe_mode function restricts or disables many functions, which can solve PHP’s
security issues to a great extent. Find in the Safe Mode section:
safe_mode = Off
Change to:
safe_mode = On
This turns on the safe_mode function. Some functions like shell_exec() and `` that can execute system commands are prohibited, and other execution functions such as: exec(), system(), passthru(), popen() will be restricted to only execute files in the directory specified by safe_mode_exec_dir. program. If you really want to execute some commands or programs, find the following:
safe_mode_exec_dir =
Specify the path of the program to be executed, such as:
safe_mode_exec_dir = /usr/local/php/exec
Then copy the program you want to use to the /usr/local/php/exec directory, so that the restricted functions like the above
can also execute the program in the directory.
For detailed information about restricted functions in safe mode, please see the instructions on the main php site:
http://www.php.net/manual/en/features.safe-mode.php
3) disable_functions
If you are not sure about the harmfulness of some functions and do not use them, simply disable these functions
.Find the following line:
disable_functions =
Add the function to be disabled after "=", and separate multiple functions with ",".
3. Modify httpd.conf
If you only allow your php script program to operate in the web directory, you can also modify the httpd.conf file to limit the operation path of php. For example, if your web directory is /usr/local/apache/htdocs, then add these lines to
httpd.conf:
php_admin_value open_basedir /usr/local/apache/htdocs
In this way, if the script wants to read files other than /usr/local/apache/htdocs, it will not be allowed,
If the error display is turned on
it will prompt an error like this:
Warning: open_basedir restriction in effect. File is in wrong directory in
/usr/local/apache/htdocs/open.php on line 4
Wait.
4. Compile the php code
Zend has made a great contribution to php. The engine of php4 uses Zend, and it has also developed ZendOptimizer
and ZendEncode and many other php Strengthen components. The optimizer ZendOptimizer can be obtained for free by just registering at
http://www.zend.com. The following are
ZendOptimizers for 4.0.5 and 4.0.6. The file names are for their respective systems. :
ZendOptimizer-1[1].1.0-PHP_4.0.5-FreeBSD4.0-i386.tar.gz
ZendOptimizer-1[1].1.0-PHP_4.0.5-Linux_glibc21-i386.tar .gz
ZendOptimizer-1[1].1.0-PHP_4.0.5-Solaris-sparc.tar.gz
ZendOptimizer-1[1].1.0-PHP_4.0.5-Windows-i386.zip
The installation of the optimizer is very convenient, and there are detailed instructions in the package. Taking the UNIX version as an example, check the operating system and unzip the ZendOptimizer.so file in the package to a directory, assuming it is /usr/local/lib
. Add two sentences to php.ini :
zend_optimizer.optimization_level=15
zend_extension="/usr/local/lib/ZendOptimizer.so"
That’s it. Use phpinfo() to see the following text on the left side of the Zend icon:
with Zend Optimizer v1.1.0, Copyright (c) 1998-2000, by Zend Technologies
Then, the optimizer has been successfully connected.
But the compiler ZendEncode is not free. Here is a compiler shell designed by Ma Yong of
http://www.PHPease.com. If it is used for commercial purposes, please contact
http Contact ://www.zend.com to obtain a license agreement.
After the php script is compiled, the execution speed of the script increases a lot, and the script file can only see a bunch of garbled characters, which will
prevent the attacker from further analyzing the script program on the server, and the original php script Passwords stored in clear text
are also kept confidential, such as mysql passwords. However, it is more troublesome to change the script on the server side.
It is better to change it locally and then upload it.
5. Permission settings for files and directories
In addition to the upload directory, the permissions of other directories and files in the web directory must not allow the nobody user to have write permissions
. Otherwise, the attacker can modify the home page file, so the permissions of the web directory must be set
. Also, the owner of the php script must not be root, because the function of reading files in safe_mode is restricted
The owner of the file to be read must be the same as the owner of the currently executing script in order to be read, otherwise if
If the error display is turned on, errors such as the following will be displayed:
Warning: SAFE MODE Restriction in effect. The script whose uid is 500 is not
allowed to access /etc/passwd owned by uid 0 in /usr/local/apache/htdocs/open.php
on line 3
In this way we can prevent many system files from being read, such as: /etc/passwd, etc.
The owners of the upload directory and the upload script must also be set to the same, otherwise errors will occur. In safe_mode
these should be noted.
6. Mysql startup permission settings
Mysql should be noted not to be started with root. It is best to create another mysqladm user. You can add a sentence in
/etc/rc.local and other system startup scripts:
su mysqladm -c "/usr/local/mysql/share/mysql/mysql.server start"
like this After the system restarts, the mysql process will be automatically started as the mysqladmin user.
7. Review of log files and upload directories
Viewing logs has a lot to do with human laziness. Finding attack traces from such a large log file is like finding a needle in a haystack, and it may not be possible. have. The files in the directory uploaded by the web should also be checked frequently. There may be a problem with the
program and the user has uploaded some illegal files, such as executing scripts.
8. Patches of the operating system itself
Similarly, patching known vulnerabilities in the system is the most basic responsibility of the system administrator, and it is also the last line of defense.
After the above configuration, although it cannot be said to be impregnable, it has also caused a lot of trouble for the attacker's testing to a certain extent. Even if there are serious vulnerabilities in the PHP script program, the attacker will not be able to cause practical consequences. of destruction. If you have any weirder or more perverted configuration methods, I hope you can share them;)
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
