Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

Ten PHP Security Hacks Compatible With Linux Distros

DZone's Guide to

Ten PHP Security Hacks Compatible With Linux Distros

In this post, we will be enlisting a few security tips concerning PHP as the programming platform. These tips will target proper functioning of apps across multiple platforms followed by the creation of secured web applications.

· Security Zone
Free Resource

Address your unique security needs at every stage of the software development life cycle. Brought to you in partnership with Synopsys.

If you ever encountered PHP, you would know how useful it is as a ‘server-scripting’ programming language. Be it the unprecedented market dominance or compatibility across multiple domains, PHP is certainly one of the most sought after entities in this digital realm. Moreover, the availability of PHP 7 is one of the better deals for the programmers and developers who are on the constant lookout for secured measures and a wide-array of customizable features.

Amid the seething popularity of this programming language, security has to be the major precursor which is actually luring the developers. PHP comes with extremely secured layout, across multiple layers but the usage and application depends entirely upon the developers. In this post, we will be enlisting a few security tips concerning PHP as the programming platform. These ideas are basically targeted towards admins who are currently using Linux distros— including Ubuntu, Fedora and other related renditions. These tips will target proper functioning of apps across multiple platforms followed by the creation of secured web applications.

Discussing these will help developers combat the growing issues of sea-surf attacks, SQL injections, XSS issues and even the likes of eval() and file uploads. Be it cross-site scripting or even remote file inclusion, certain PHP vulnerabilities can compromise the entire security module of an application, leading to catastrophic proportions.

  1. Amputate Unnecessary PHP Modules

PHP offers a wide-array of built-in modules which do serve many purposes but aren’t always required. The idea here is to view the available modules and get rid of the ones which aren’t even necessary. One can readily view the list via the following command:

# php – m

Now when the obsolete models have been amputated, the performance is expected to go up and the web application which is being developed will be secured.

  1. Restrict Information Leakage

PHP, like any other platform, is susceptible to information leaks. Some of the usual suspects which can be compromised include server details and even the version which is being used. PHP gives out these details via ‘expose_php’ directive which can be turned off to avoid any leak.

This feature can be accessed via  /etc/php.d/security.ini.

  1. Remote Code Execution Needs to be Disabled

This is where a PHP enabled system can lose the war against code injections and certain other vulnerabilities. Therefore, it is advisable to disable ‘remote code execution’ while handling PHP operations which is usually enabled, by default. This code can be reached via ‘allow_url_fopen’ directive and opens the gates for functions like include, require and a few more. While many fopen wrappers can get access to the system files, most instances of remote access can be backtracked to FTP and HTTP protocols.

One can disable ‘remote code execution’ through the following set of commands:

Allow_url_fopen=Off

Allow_url_include=Off
  1. Hide PHP Errors

It is advisable not to publicize the PHP errors to the public while developing and managing certain web applications. This precautionary measure should be taken in all cases and most importantly when you are dealing with kik login details, Gmail signup information and other sensitive aspects related to user privacy. If the errors are not visible to the public, hackers won’t be able to find a glitch and materialize the same for opening up a breach.

The website, therefore remains secured and so is the user information. One can disable this feature by accessing the /etc/php.d/security.ini file and typing the following command:

dispaly_errors=Off
  1. Control Resources

There are a few manual stuffs you need to control as a Linux admin while working with PHP. Firstly, you need to ensure proper allocation of resources, precisely while handling ‘PHP script’ execution. Once the limit is set, you can also put a tap on the parsing request time. Other aspects which need to be controlled include memory usage and execution time. Following these measures can readily secure your web application.

The manual option can be accessed via security.ini, by typing the following set of commands:

# set in seconds

max_execution_time = 25

max_input_time= 25

memory_limit= 30M
  1. Disable all PHP Functions which are Dangerous

While PHP offers a host of functional resources, there are certain functions which can be exploited by hackers for breaching through the web application. Even if you want to keep the platform working at all times, it is desirable to disable certain iffy functions in the quest towards better security.

One can access the functions via the editable php.ini file. The following set of commands need to be typed in order to access this function, in the best possible manner:

disable_functions = exec,passthru,

shell_exec, system, proc_open, popen, curl_exec,

curl_multi_exec, parse_ini_file, show_source
  1. Disable File Uploads

If you are working with a dedicated server and the web application doesn’t need extra files, it is advisable to disable the uploading option. If files aren’t being uploaded, it will be easier to safeguard the web app against security threats, posed by hackers.

Head towards the security.ini file and follow the /etc/php.d/directory for disabling the option.

The following command works perfectly for the admins:

file_uploads= Off
  1. Keep Things Updated

PHP as a platform needs to be checked for updates, bugs and occasional fixes. Therefore, developers need to patch the concerned technology for addressing security vulnerabilities, if any. Here is an open source community that is working hard towards getting the best set of features and exploits to the user community.

PHP solutions need to be updated in order to maintain the overall security of the application.

  1. Control System Access

Regardless of the programming platform, you need to be in control of the file system access. In PHP most files can be accessed via fopen () function and the open_basedir directive. Those who aren’t well accustomed to the directive sets need to implement the /var/www/html directory. It is advisable to follow the given command and not set any other security issue:

open_basedir = “/var/www/html/”
  1. Control ‘POST’ Size

Here is the last but one of the most important tips for keeping the Linux distros and the associated web applications safe. The ‘POST’ size function needs to be kept in check for a specific reason. Most developers use HTTP POST as a function for sending data to the concerned web server, via the client browser.

If the size isn’t predefined, a hacked might send over a huge chunk of data for clogging system resources and slowing down the responses. The POST size can be manipulated using /etc/php.d/security.inc file and the following command:

post_max_size= 1K

Bottom Line

For most web developers and Linux admins, security is certainly one of the biggest headaches. The aforementioned tips will surely come in handy for further securing the PHP development environment. Be it the web application or the associated directives, these ideas will surely help the Linux admins get their acts together while keeping up with user privacy.

Find out how Synopsys can help you build security and quality into your SDLC and supply chain. We offer application testing and remediation expertise, guidance for structuring a software security initiative, training, and professional services for a proactive approach to application security.

Topics:
php ,linux ,hack

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}