The content of this article is an introduction to the PHP environment. Friends who are interested can take a look, and can also give some reference to students who need help.
The results of code execution in different environments will be very different. It may be because of a configuration problem that a very high-risk vulnerability can be exploited; or you may have found it. A vulnerability is caused by your configuration problem, causing you to be unable to construct a successful exploit code for a long time. However, configuration instructions will also be different in different PHP versions. The new version may add or delete some instructions, change the default settings of instructions or fixed settings. Therefore, we need to be very familiar with all aspects of PHP before code auditing. Only the core instructions of the configuration file in the version can efficiently mine high-quality vulnerabilities.
PHP has hundreds of configuration file instructions, so I won’t introduce them one by one here. If you are interested in this aspect, you can check the specific content in the official PHP configuration documentation: http://www.php. net/manual/zh/ini.list.php
(1) open_basedir settings
open_basedir can limit applications For directories that can be accessed, check whether open_basedir is set. Of course, some are set through the web server, such as: apache's php_admin_value, nginx+fcgi is controlled through conf.
(2) allow_url_fopen setting
If allow_url_fopen=ON, then PHP can read remote files for operation, which is easily exploited by attackers.
(3) allow_url_include setting
If allow_url_include=ON, then PHP can include remote files, which will cause serious vulnerabilities.
(4) safe_mode_exec_dir setting
This option can control the directory of external commands that can be called by php. If there are external commands called in the php program, then the external command is known Directory can control program risks.
(5) magic_quote_gpc setting
This option can escape the special characters submitted in the parameters. It is recommended to set magic_quote_gpc=ON
(6) register_globals setting
Turning on this option will cause PHP to register all externally submitted variables as global variables, and the consequences are quite serious.
(7) safe_mode setting
safe_mode is an important security feature of PHP, it is recommended to turn it on
(8) session_use_trans_sid setting
If session_use_trans_sid is enabled, it will cause PHP to pass the session ID through the URL, which will make it easy for an attacker to hijack the current session, or trick the user into using an existing session that is controlled by the attacker.
(9) display_errors setting
If this option is enabled, PHP will output all error or warning information, and attackers can use this information to obtain the web root path, etc. Sensitive information.
(10) expose_php setting
If the expose_php option is enabled, then every response generated by php interpreting it will include the PHP version installed on the host system. Knowing the version of PHP running on a remote server allows an attacker to enumerate known exfiltration methods against the system, greatly increasing the chance of a successful attack.
(11) magic_quotes_sybase (magic quotation mark automatic filtering)
magic_quotes_sybase directive is used to automatically filter special characters. When set to on, it will overwrite them. The configuration of magic_quotes_gpc=on, that is to say, configuring gpc=on in time will have no effect.What this command has in common with gpc is that the objects processed are the same, that is, they both process POST\GET\Cookie.
(12) disable_functions (disable function)
In a formal production environment, in order to run PHP more safely, you can also use the disable_functions directive to disable some sensitive functions usage of. When you want to use this directive to ban some dangerous functions, remember to add the dl() function to the banned list, because attackers can use the dl() function to load custom PHP extensions to break through the restrictions of the disable_function directive.
Related recommendations:
php code audit (1)-----Debugging function
##Constant | Meaning |
PHP__INI__USER | This configuration option can be set in the user's PHP script or Windows registry |
##PHP__INI__PERDIR | This configuration option can be set in php.ini ..htaccess or http.conf |
PHP__INI__SYSTEM | ##This setting option can be set in php.ini or http.conf|
This configuration option can be set anywhere | |
This setting option can only be set in php.ini |
The above is the detailed content of PHP code audit - 2. Introduction to PHP environment of PHP code audit. For more information, please follow other related articles on the PHP Chinese website!