This article was originally published in c't 18/2007, p. 178
Individual security measures for PHP applications
Private blogs and forums that make extensive use of PHP scripting are a popular target for cyber criminals. But there are alternatives to the loose standard PHP settings offered by providers. Basic security for your web space is easily achieved and can save you a lot of grief when the chips are down.
PHP is generally considered an unsafe programming language. New reports about vulnerabilities in PHP applications appear almost daily, and hobbyist administrators can hardly keep up with installing patches and updated versions. Nevertheless, the popular scripting language does offer a whole range of security mechanisms which can prevent the exploitation of holes, or at least minimise the resulting damage.
However, the greatest problem is that in PHP standard configurations all security options are usually deactivated for compatibility reasons. Each of the mechanisms imposes special restrictions or programming considerations . Since the presently lenient PHP security configurations for web servers rarely force web developers to consider the restrictions imposed, for example, by safe mode, the PHP world is full of applications which misbehave or even fail to work at all on secured servers.
The PHP dilemma
Providers of shared web hosting cannot afford to tighten security across their entire server customer base. This would cause a flood of support requests due to malfunctioning web applications. As a lamentable result, the number of secured PHP environments in shared web hosting is negligible. We looked at several web hosting packages, and none of the providers had implemented even that most vital of security options, register_globals = off. Thus the vicious circle is closed, as no pressure is put on developers to ensure their applications comply with PHP's security mechanisms.
Web space customers have no influence over server-side security measures like the PHP extension Suhosin . But there are also client-side PHP configuration options. However, the required procedures for, and possible extent of, security measures depends on the provider's server configuration - and there is a lot of variation in this. (see table).
The web space offerings we looked at all use the Apache web server, but this server alone has two very different ways of implementing PHP: either via the Apache mod_php module or the time-honoured CGI mechanism. You can obtain a useful status report about your web space by executing a short PHP script containing <?php phpinfo();?>. If the script returns "Apache Handler" for the "Server API" field the server uses mod_php, otherwise the field contains "CGI". Additional information, for example the user ID, can be retrieved with utilities like PHPShell. Armed with this information you can set to safeguarding your web space.